From bcf41973bbe2637a032d928e2deb7ad9e3e8e8c9 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 25 Jun 2025 19:00:22 -0700 Subject: [PATCH] start converting dnssec system test to python/jinja2 - changed named.conf.in to named.conf.j2 in all server directories that don't currently need to use copy_setports() during the test. - converted the tests that use ns5 to python, and replaced named1.conf.in and named2.conf.in with a jinja2 template instead. the only remaining server that still needs copy_setports() is ns4. - removed ns4/named5.conf.in, and moved its functions to ns5 (which is supposed to be for servers with broken trust-anchor configurations, so it should have been there in the first place). converted the tests that used that ns4 configuration to use ns5 with jinja instead. - revised the remaining ns4 configurations (named[1-4].conf.in) to minimize the differences between them. this will make it easier to convert it into a jinja2 template later. --- .../ns1/{named.conf.in => named.conf.j2} | 0 bin/tests/system/dnssec/ns1/sign.sh | 4 +- .../ns2/{named.conf.in => named.conf.j2} | 0 .../ns3/{named.conf.in => named.conf.j2} | 0 bin/tests/system/dnssec/ns4/named1.conf.in | 11 +- bin/tests/system/dnssec/ns4/named2.conf.in | 16 ++- bin/tests/system/dnssec/ns4/named3.conf.in | 20 ++- bin/tests/system/dnssec/ns4/named4.conf.in | 12 +- bin/tests/system/dnssec/ns4/named5.conf.in | 54 ------- .../ns5/{named2.conf.in => named.conf.j2} | 64 ++++++--- bin/tests/system/dnssec/ns5/named1.conf.in | 43 ------ .../ns6/{named.conf.in => named.conf.j2} | 0 .../ns7/{named.conf.in => named.conf.j2} | 0 .../ns8/{named.conf.in => named.conf.j2} | 0 .../ns9/{named.conf.in => named.conf.j2} | 5 + bin/tests/system/dnssec/setup.sh | 11 -- bin/tests/system/dnssec/tests.sh | 129 ----------------- bin/tests/system/dnssec/tests_badkey.py | 135 ++++++++++++++++++ bin/tests/system/dnssec/tests_sh_dnssec.py | 5 +- 19 files changed, 225 insertions(+), 284 deletions(-) rename bin/tests/system/dnssec/ns1/{named.conf.in => named.conf.j2} (100%) rename bin/tests/system/dnssec/ns2/{named.conf.in => named.conf.j2} (100%) rename bin/tests/system/dnssec/ns3/{named.conf.in => named.conf.j2} (100%) delete mode 100644 bin/tests/system/dnssec/ns4/named5.conf.in rename bin/tests/system/dnssec/ns5/{named2.conf.in => named.conf.j2} (56%) delete mode 100644 bin/tests/system/dnssec/ns5/named1.conf.in rename bin/tests/system/dnssec/ns6/{named.conf.in => named.conf.j2} (100%) rename bin/tests/system/dnssec/ns7/{named.conf.in => named.conf.j2} (100%) rename bin/tests/system/dnssec/ns8/{named.conf.in => named.conf.j2} (100%) rename bin/tests/system/dnssec/ns9/{named.conf.in => named.conf.j2} (87%) create mode 100644 bin/tests/system/dnssec/tests_badkey.py diff --git a/bin/tests/system/dnssec/ns1/named.conf.in b/bin/tests/system/dnssec/ns1/named.conf.j2 similarity index 100% rename from bin/tests/system/dnssec/ns1/named.conf.in rename to bin/tests/system/dnssec/ns1/named.conf.j2 diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 90286fb3e6..bd434aeb80 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -45,7 +45,7 @@ cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 -# Configure the resolving server with a staitc key. +# Configure the resolving server with a static key. keyfile_to_static_ds "$ksk" >trusted.conf cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns3/trusted.conf @@ -70,4 +70,4 @@ keyfile_to_key_id "$ksk" >managed.key.id # Also generate a broken trusted-keys file for the dnssec test. # broken=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" .) -keyfile_to_static_ds "$broken" >../ns4/broken.conf +keyfile_to_static_ds "$broken" >../ns5/broken.conf diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.j2 similarity index 100% rename from bin/tests/system/dnssec/ns2/named.conf.in rename to bin/tests/system/dnssec/ns2/named.conf.j2 diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.j2 similarity index 100% rename from bin/tests/system/dnssec/ns3/named.conf.in rename to bin/tests/system/dnssec/ns3/named.conf.j2 diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in index e9264c169f..a2413cef79 100644 --- a/bin/tests/system/dnssec/ns4/named1.conf.in +++ b/bin/tests/system/dnssec/ns4/named1.conf.in @@ -22,26 +22,23 @@ options { listen-on { 10.53.0.4; }; listen-on-v6 { none; }; recursion yes; - dnssec-validation yes; minimal-responses no; nta-lifetime 12s; nta-recheck 9s; validate-except { corp; }; - disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; - disable-ds-digests "ds-unsupported.example." {"SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; - disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; - # Note: We only reference the bind.keys file here to confirm that it # is *not* being used. It contains the real root key, and we're # using a local toy root zone for the tests, so it wouldn't work. # But since dnssec-validation is set to "yes" not "auto", that # won't matter. + dnssec-validation yes; bindkeys-file "../../../../../bind.keys"; }; +include "trusted.conf"; + key rndc_key { secret "1234abcd8765"; algorithm @DEFAULT_HMAC@; @@ -60,5 +57,3 @@ zone "corp" { type static-stub; server-addresses { 10.53.0.2; }; }; - -include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in index bf82385f71..04d98b89ad 100644 --- a/bin/tests/system/dnssec/ns4/named2.conf.in +++ b/bin/tests/system/dnssec/ns4/named2.conf.in @@ -22,13 +22,14 @@ options { listen-on { 10.53.0.4; }; listen-on-v6 { none; }; recursion yes; + minimal-responses no; + + nta-lifetime 12s; + nta-recheck 9s; + validate-except { corp; }; + dnssec-validation auto; bindkeys-file "managed.conf"; - minimal-responses no; - disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; - disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; - disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; }; key rndc_key { @@ -44,3 +45,8 @@ zone "." { type hint; file "../../_common/root.hint"; }; + +zone "corp" { + type static-stub; + server-addresses { 10.53.0.2; }; +}; diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in index d6a44c799d..28a9abe804 100644 --- a/bin/tests/system/dnssec/ns4/named3.conf.in +++ b/bin/tests/system/dnssec/ns4/named3.conf.in @@ -22,16 +22,17 @@ options { listen-on { 10.53.0.4; }; listen-on-v6 { none; }; recursion yes; - dnssec-validation auto; - bindkeys-file "managed.conf"; - dnssec-accept-expired yes; minimal-responses no; + + nta-lifetime 12s; + nta-recheck 9s; + validate-except { corp; }; + + dnssec-accept-expired yes; servfail-ttl 0; - disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; - disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";}; - disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; - disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; + dnssec-validation auto; + bindkeys-file "managed.conf"; }; key rndc_key { @@ -47,3 +48,8 @@ zone "." { type hint; file "../../_common/root.hint"; }; + +zone "corp" { + type static-stub; + server-addresses { 10.53.0.2; }; +}; diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in index 34f59b498a..4655d5959e 100644 --- a/bin/tests/system/dnssec/ns4/named4.conf.in +++ b/bin/tests/system/dnssec/ns4/named4.conf.in @@ -21,6 +21,11 @@ options { pid-file "named.pid"; listen-on { 10.53.0.4; }; listen-on-v6 { none; }; + minimal-responses no; + + nta-lifetime 12s; + nta-recheck 9s; + disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; @@ -41,14 +46,14 @@ key auth { algorithm @DEFAULT_HMAC@; }; -include "trusted.conf"; - view rec { match-recursive-only yes; recursion yes; - dnssec-validation yes; dnssec-accept-expired yes; minimal-responses no; + dnssec-validation yes; + + include "trusted.conf"; zone "." { type hint; @@ -69,6 +74,7 @@ view rec { view auth { recursion no; allow-recursion { none; }; + dnssec-validation no; zone "." { type hint; diff --git a/bin/tests/system/dnssec/ns4/named5.conf.in b/bin/tests/system/dnssec/ns4/named5.conf.in deleted file mode 100644 index dae14c328b..0000000000 --- a/bin/tests/system/dnssec/ns4/named5.conf.in +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS4 - -options { - query-source address 10.53.0.4; - notify-source 10.53.0.4; - transfer-source 10.53.0.4; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.4; }; - listen-on-v6 { none; }; - recursion yes; - dnssec-validation yes; - minimal-responses no; - -}; - -# Note: This contains a deliberately incorrect key, -# so it won't work with the root zones used in the tests; -# all signed data should SERVFAIL. This is to test the case -# of a validating forwarder talking to a resolver that has -# a misconfigured trust anchor. -include "broken.conf"; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -zone "." { - type hint; - file "../../_common/root.hint"; -}; - -zone "corp" { - type static-stub; - server-addresses { 10.53.0.2; }; -}; diff --git a/bin/tests/system/dnssec/ns5/named2.conf.in b/bin/tests/system/dnssec/ns5/named.conf.j2 similarity index 56% rename from bin/tests/system/dnssec/ns5/named2.conf.in rename to bin/tests/system/dnssec/ns5/named.conf.j2 index 6d0474b9d5..c47306f371 100644 --- a/bin/tests/system/dnssec/ns5/named2.conf.in +++ b/bin/tests/system/dnssec/ns5/named.conf.j2 @@ -13,15 +13,6 @@ // NS5 -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - options { query-source address 10.53.0.5; notify-source 10.53.0.5; @@ -31,23 +22,56 @@ options { listen-on { 10.53.0.5; 127.0.0.1; }; listen-on-v6 { none; }; recursion yes; - dnssec-validation yes; }; -view root { - match-destinations { 127.0.0.1; }; +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; - zone "." { - type primary; - file "root.db.signed"; +controls { + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +{% set revoked_key = revoked_key | default(False) %} +{% set broken_key = broken_key | default(False) %} +{% if revoked_key %} + view root { + match-destinations { 127.0.0.1; }; + dnssec-validation no; + + zone "." { + type primary; + file "root.db.signed"; + }; }; -}; -view other { -include "revoked.conf"; + view other { + dnssec-validation yes; + include "revoked.conf"; + zone "." { + type static-stub; + server-addresses { 127.0.0.1; }; + }; + }; +{% elif broken_key %} zone "." { + type hint; + file "../../_common/root.hint"; + }; + + zone "corp" { type static-stub; - server-addresses { 127.0.0.1; }; + server-addresses { 10.53.0.2; }; }; -}; + + include "broken.conf"; +{% else %} + zone "." { + type hint; + file "../../_common/root.hint"; + }; + + include "trusted.conf"; +{% endif %} diff --git a/bin/tests/system/dnssec/ns5/named1.conf.in b/bin/tests/system/dnssec/ns5/named1.conf.in deleted file mode 100644 index ef371e175a..0000000000 --- a/bin/tests/system/dnssec/ns5/named1.conf.in +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS5 - -options { - query-source address 10.53.0.5; - notify-source 10.53.0.5; - transfer-source 10.53.0.5; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.5; }; - listen-on-v6 { none; }; - recursion yes; - dnssec-validation yes; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - - -zone "." { - type hint; - file "../../_common/root.hint"; -}; - -include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.j2 similarity index 100% rename from bin/tests/system/dnssec/ns6/named.conf.in rename to bin/tests/system/dnssec/ns6/named.conf.j2 diff --git a/bin/tests/system/dnssec/ns7/named.conf.in b/bin/tests/system/dnssec/ns7/named.conf.j2 similarity index 100% rename from bin/tests/system/dnssec/ns7/named.conf.in rename to bin/tests/system/dnssec/ns7/named.conf.j2 diff --git a/bin/tests/system/dnssec/ns8/named.conf.in b/bin/tests/system/dnssec/ns8/named.conf.j2 similarity index 100% rename from bin/tests/system/dnssec/ns8/named.conf.in rename to bin/tests/system/dnssec/ns8/named.conf.j2 diff --git a/bin/tests/system/dnssec/ns9/named.conf.in b/bin/tests/system/dnssec/ns9/named.conf.j2 similarity index 87% rename from bin/tests/system/dnssec/ns9/named.conf.in rename to bin/tests/system/dnssec/ns9/named.conf.j2 index 147d328ccf..3b0e39d3b5 100644 --- a/bin/tests/system/dnssec/ns9/named.conf.in +++ b/bin/tests/system/dnssec/ns9/named.conf.j2 @@ -24,7 +24,12 @@ options { recursion yes; dnssec-validation yes; forward only; +{% set forward_badkey = forward_badkey | default(False) %} +{% if forward_badkey %} + forwarders { 10.53.0.5; }; +{% else %} forwarders { 10.53.0.4; }; +{% endif %} servfail-ttl 0; }; diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index dc53ea83e2..c6234f686c 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -16,18 +16,7 @@ set -e -copy_setports ns1/named.conf.in ns1/named.conf -copy_setports ns2/named.conf.in ns2/named.conf -copy_setports ns3/named.conf.in ns3/named.conf - copy_setports ns4/named1.conf.in ns4/named.conf -copy_setports ns5/named1.conf.in ns5/named.conf - -copy_setports ns6/named.conf.in ns6/named.conf -copy_setports ns7/named.conf.in ns7/named.conf -copy_setports ns8/named.conf.in ns8/named.conf - -copy_setports ns9/named.conf.in ns9/named.conf ( cd ns1 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 60a3959ab2..a5f879b589 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1054,33 +1054,6 @@ if [ -x "${DELV}" ]; then status=$((status + ret)) fi -# Try validating with a bad trusted key. -# This should fail. - -echo_i "checking that validation fails with a misconfigured trusted key ($n)" -ret=0 -dig_with_opts example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that negative validation fails with a misconfigured trusted key ($n)" -ret=0 -dig_with_opts example. ptr @10.53.0.5 >dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking that insecurity proofs fail with a misconfigured trusted key ($n)" -ret=0 -dig_with_opts a.insecure.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1 -grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "checking that validation fails when key record is missing ($n)" ret=0 dig_with_opts a.b.keyless.example. a @10.53.0.4 >dig.out.ns4.test$n || ret=1 @@ -1210,34 +1183,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -# Check that the setting the cd bit works - -echo_i "checking cd bit on a positive answer ($n)" -ret=0 -dig_with_opts +noauth example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -dig_with_opts +noauth +cdflag example. soa @10.53.0.5 \ - >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking cd bit on a negative answer ($n)" -ret=0 -dig_with_opts q.example. soa @10.53.0.4 >dig.out.ns4.test$n || ret=1 -dig_with_opts +cdflag q.example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "checking insecurity proof works using negative cache ($n)" ret=0 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i @@ -1314,50 +1259,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "checking cd bit on a query that should fail ($n)" -ret=0 -dig_with_opts a.bogus.example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -dig_with_opts +cdflag a.bogus.example. soa @10.53.0.5 \ - >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - this is looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking cd bit on an insecurity proof ($n)" -ret=0 -dig_with_opts +noauth a.insecure.example. soa @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -dig_with_opts +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ - >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - these are looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - -echo_i "checking cd bit on a negative insecurity proof ($n)" -ret=0 -dig_with_opts q.insecure.example. a @10.53.0.4 \ - >dig.out.ns4.test$n || ret=1 -dig_with_opts +cdflag q.insecure.example. a @10.53.0.5 \ - >dig.out.ns5.test$n || ret=1 -digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -# Note - these are looking for failure, hence the && -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "checking that validation of an ANY query works ($n)" ret=0 dig_with_opts +noauth foo.example. any @10.53.0.2 >dig.out.ns2.test$n || ret=1 @@ -3961,17 +3862,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "checking initialization with a revoked managed key ($n)" -ret=0 -copy_setports ns5/named2.conf.in ns5/named.conf -rndccmd 10.53.0.5 reconfig 2>&1 | sed 's/^/ns5 /' | cat_i -sleep 3 -dig_with_opts +dnssec @10.53.0.5 SOA . >dig.out.ns5.test$n -grep "status: SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1 -n=$((n + 1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status + ret)) - echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)" ret=0 ( @@ -4862,24 +4752,5 @@ n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) -copy_setports ns4/named5.conf.in ns4/named.conf -rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i -sleep 3 - -echo_i "checking forwarder CD behavior (forward server with bad trust anchor) ($n)" -ret=0 -# confirm invalid trust anchor produces SERVFAIL in resolver -$DIG +tcp +dnssec -p "$PORT" @10.53.0.4 a.secure.example >dig.out.ns4.test$n || ret=1 -grep "status: SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 -# check that lookup using forwarder succeeds and that SERVFAIL was received -nextpart ns9/named.run >/dev/null -$DIG +tcp +dnssec -p "$PORT" @10.53.0.9 a.secure.example soa >dig.out.ns9.test$n || ret=1 -grep "status: NOERROR" dig.out.ns9.test$n >/dev/null || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns9.test$n >/dev/null || ret=1 -nextpart ns9/named.run | grep 'status: SERVFAIL' >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnssec/tests_badkey.py b/bin/tests/system/dnssec/tests_badkey.py new file mode 100644 index 0000000000..b646789e3a --- /dev/null +++ b/bin/tests/system/dnssec/tests_badkey.py @@ -0,0 +1,135 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from dns import flags + +import isctest + + +def test_misconfigured_validation(): + # check that validation fails with a misconfigured trust anchor + msg = isctest.query.create("example.", "SOA") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) + + +def test_misconfigured_negative_validation(): + # check that negative validation fails with a misconfigured trust anchor + msg = isctest.query.create("example.", "PTR") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) + + +def test_misconfigured_insecurity(): + # check that insecurity proofs fail with a misconfigured trust anchor + msg = isctest.query.create("a.insecure.example.", "A") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) + + +def test_misconfigured_cd_positive(): + # check AD bit of a positive answer with misconfigured trust anchor, CD=1 + msg = isctest.query.create("example.", "SOA") + msg.flags |= flags.CD + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res) + assert (res.flags & flags.AD) == 0 + + +def test_misconfigured_cd_negative(): + # check cd bit on a negative answer with misconfigured trust anchor, CD=1 + msg = isctest.query.create("q.example.", "SOA") + msg.flags |= flags.CD + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.nxdomain(res) + assert (res.flags & flags.AD) == 0 + # compare the response from a correctly configured server + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res2) + assert (res2.flags & flags.AD) == 0 + assert res.answer == res2.answer + + +def test_misconfigured_cd_bogus(): + # check cd bit on a query that should fail + msg = isctest.query.create("a.bogus.example.", "SOA") + msg.flags |= flags.CD + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res) + assert (res.flags & flags.AD) == 0 + # compare the response from a correctly configured server + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res2) + assert (res2.flags & flags.AD) == 0 + assert res.answer == res2.answer + + +def test_misconfigured_cd_insecurity(): + # check cd bit on an insecurity proof + msg = isctest.query.create("a.insecure.example.", "SOA") + msg.flags |= flags.CD + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res) + assert (res.flags & flags.AD) == 0 + # compare the response from a correctly configured server + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res2) + assert (res2.flags & flags.AD) == 0 + assert res.answer == res2.answer + + +def test_misconfigured_cd_negative_insecurity(): + # check cd bit on an insecurity proof + msg = isctest.query.create("q.insecure.example.", "A") + msg.flags |= flags.CD + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.nxdomain(res) + assert (res.flags & flags.AD) == 0 + # compare the response from a correctly configured server + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.nxdomain(res2) + assert (res2.flags & flags.AD) == 0 + assert res.answer == res2.answer + + +def test_revoked_init(servers, templates): + # use a revoked key and try to reiniitialize; check for failure + ns5 = servers["ns5"] + templates.render("ns5/named.conf", {"revoked_key": True}) + ns5.reconfigure(log=False) + + msg = isctest.query.create(".", "SOA") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) + + +def test_broken_forwarding(servers, templates): + # check forwarder CD behavior (forward server with bad trust anchor) + ns5 = servers["ns5"] + templates.render("ns5/named.conf", {"broken_key": True}) + ns5.reconfigure(log=False) + + ns9 = servers["ns9"] + templates.render("ns9/named.conf", {"forward_badkey": True}) + ns9.reconfigure(log=False) + + # confirm invalid trust anchor produces SERVFAIL in resolver + msg = isctest.query.create("a.secure.example.", "A") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) + + # check that lookup involving forwarder succeeds and SERVFAIL was received + with ns9.watch_log_from_here() as watcher: + msg = isctest.query.create("a.secure.example.", "SOA") + res = isctest.query.tcp(msg, "10.53.0.9") + isctest.check.noerror(res) + assert (res.flags & flags.AD) != 0 + watcher.wait_for_line("status: SERVFAIL") diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index c717eaff8f..bf1108518e 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -35,6 +35,7 @@ pytestmark = pytest.mark.extra_artifacts( "*/*.jbk", "*/*.signed", "*/*.mkeys*", + "*/managed-keys.bind", "ans*/ans.run", "ans*/query.log", "ns1/managed.key.id", @@ -160,12 +161,11 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/update-nsec3.example.db.signed", "ns3/upper.example.db", "ns3/upper.example.db.lower", - "ns4/broken.conf", "ns4/managed.conf", - "ns4/managed-keys.bind", "ns4/named.secroots", "ns4/named_dump.db", "ns4/named_dump.db.*", + "ns5/broken.conf", "ns5/revoked.conf", "ns6/optout-tld.db", "ns7/split-rrsig.db", @@ -177,6 +177,7 @@ pytestmark = pytest.mark.extra_artifacts( "signer/example.db.changed", "signer/example2.db", "signer/example3.db", + "signer/general/*.jnl", "signer/general/dnskey.expect", "signer/general/dsset-*", "signer/general/signed.expect",