mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

start converting dnssec system test to python/jinja2

Browse Source 
- changed named.conf.in to named.conf.j2 in all server directories that
  don't currently need to use copy_setports() during the test.
- converted the tests that use ns5 to python, and replaced
  named1.conf.in and named2.conf.in with a jinja2 template instead.
  the only remaining server that still needs copy_setports() is ns4.
- removed ns4/named5.conf.in, and moved its functions to ns5 (which
  is supposed to be for servers with broken trust-anchor configurations,
  so it should have been there in the first place). converted the tests
  that used that ns4 configuration to use ns5 with jinja instead.
- revised the remaining ns4 configurations (named[1-4].conf.in) to
  minimize the differences between them. this will make it easier to
  convert it into a jinja2 template later.
This commit is contained in:
Evan Hunt 2025-06-25 19:00:22 -07:00
parent 1563d71c1b
commit bcf41973bb
19 changed files with 225 additions and 284 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
bin/tests/system/dnssec/ns1/named.conf.in → bin/tests/system/dnssec/ns1/named.conf.j2
View File

4
bin/tests/system/dnssec/ns1/sign.sh
View File

@ -45,7 +45,7 @@ cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
# Configure the resolving server with a staitc key. # Configure the resolving server with a static key.
keyfile_to_static_ds "$ksk" >trusted.conf keyfile_to_static_ds "$ksk" >trusted.conf
cp trusted.conf ../ns2/trusted.conf cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf cp trusted.conf ../ns3/trusted.conf
@ -70,4 +70,4 @@ keyfile_to_key_id "$ksk" >managed.key.id
# Also generate a broken trusted-keys file for the dnssec test. # Also generate a broken trusted-keys file for the dnssec test.
# #
broken=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" .) broken=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" .)
keyfile_to_static_ds "$broken" >../ns4/broken.conf keyfile_to_static_ds "$broken" >../ns5/broken.conf

0
bin/tests/system/dnssec/ns2/named.conf.in → bin/tests/system/dnssec/ns2/named.conf.j2
View File

0
bin/tests/system/dnssec/ns3/named.conf.in → bin/tests/system/dnssec/ns3/named.conf.j2
View File

11
bin/tests/system/dnssec/ns4/named1.conf.in
View File

@ -22,26 +22,23 @@ options {
listen-on { 10.53.0.4; }; listen-on { 10.53.0.4; };
listen-on-v6 { none; }; listen-on-v6 { none; };
recursion yes; recursion yes;
dnssec-validation yes;
minimal-responses no; minimal-responses no;
nta-lifetime 12s; nta-lifetime 12s;
nta-recheck 9s; nta-recheck 9s;
validate-except { corp; }; validate-except { corp; };
disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
disable-ds-digests "ds-unsupported.example." {"SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
# Note: We only reference the bind.keys file here to confirm that it # Note: We only reference the bind.keys file here to confirm that it
# is *not* being used. It contains the real root key, and we're # is *not* being used. It contains the real root key, and we're
# using a local toy root zone for the tests, so it wouldn't work. # using a local toy root zone for the tests, so it wouldn't work.
# But since dnssec-validation is set to "yes" not "auto", that # But since dnssec-validation is set to "yes" not "auto", that
# won't matter. # won't matter.
dnssec-validation yes;
bindkeys-file "../../../../../bind.keys"; bindkeys-file "../../../../../bind.keys";
}; };
include "trusted.conf";
key rndc_key { key rndc_key {
secret "1234abcd8765"; secret "1234abcd8765";
algorithm @DEFAULT_HMAC@; algorithm @DEFAULT_HMAC@;
@ -60,5 +57,3 @@ zone "corp" {
type static-stub; type static-stub;
server-addresses { 10.53.0.2; }; server-addresses { 10.53.0.2; };
}; };
include "trusted.conf";

16
bin/tests/system/dnssec/ns4/named2.conf.in
View File

@ -22,13 +22,14 @@ options {
listen-on { 10.53.0.4; }; listen-on { 10.53.0.4; };
listen-on-v6 { none; }; listen-on-v6 { none; };
recursion yes; recursion yes;
minimal-responses no;
nta-lifetime 12s;
nta-recheck 9s;
validate-except { corp; };
dnssec-validation auto; dnssec-validation auto;
bindkeys-file "managed.conf"; bindkeys-file "managed.conf";
minimal-responses no;
disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
}; };
key rndc_key { key rndc_key {
@ -44,3 +45,8 @@ zone "." {
type hint; type hint;
file "../../_common/root.hint"; file "../../_common/root.hint";
}; };
zone "corp" {
type static-stub;
server-addresses { 10.53.0.2; };
};

20
bin/tests/system/dnssec/ns4/named3.conf.in
View File

@ -22,16 +22,17 @@ options {
listen-on { 10.53.0.4; }; listen-on { 10.53.0.4; };
listen-on-v6 { none; }; listen-on-v6 { none; };
recursion yes; recursion yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
dnssec-accept-expired yes;
minimal-responses no; minimal-responses no;
nta-lifetime 12s;
nta-recheck 9s;
validate-except { corp; };
dnssec-accept-expired yes;
servfail-ttl 0; servfail-ttl 0;
disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; dnssec-validation auto;
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";}; bindkeys-file "managed.conf";
disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
}; };
key rndc_key { key rndc_key {
@ -47,3 +48,8 @@ zone "." {
type hint; type hint;
file "../../_common/root.hint"; file "../../_common/root.hint";
}; };
zone "corp" {
type static-stub;
server-addresses { 10.53.0.2; };
};

12
bin/tests/system/dnssec/ns4/named4.conf.in
View File

@ -21,6 +21,11 @@ options {
pid-file "named.pid"; pid-file "named.pid";
listen-on { 10.53.0.4; }; listen-on { 10.53.0.4; };
listen-on-v6 { none; }; listen-on-v6 { none; };
minimal-responses no;
nta-lifetime 12s;
nta-recheck 9s;
disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
@ -41,14 +46,14 @@ key auth {
algorithm @DEFAULT_HMAC@; algorithm @DEFAULT_HMAC@;
}; };
include "trusted.conf";
view rec { view rec {
match-recursive-only yes; match-recursive-only yes;
recursion yes; recursion yes;
dnssec-validation yes;
dnssec-accept-expired yes; dnssec-accept-expired yes;
minimal-responses no; minimal-responses no;
dnssec-validation yes;
include "trusted.conf";
zone "." { zone "." {
type hint; type hint;
@ -69,6 +74,7 @@ view rec {
view auth { view auth {
recursion no; recursion no;
allow-recursion { none; }; allow-recursion { none; };
dnssec-validation no;
zone "." { zone "." {
type hint; type hint;

54
bin/tests/system/dnssec/ns4/named5.conf.in
View File

@ -1,54 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS4
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
dnssec-validation yes;
minimal-responses no;
};
# Note: This contains a deliberately incorrect key,
# so it won't work with the root zones used in the tests;
# all signed data should SERVFAIL. This is to test the case
# of a validating forwarder talking to a resolver that has
# a misconfigured trust anchor.
include "broken.conf";
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../_common/root.hint";
};
zone "corp" {
type static-stub;
server-addresses { 10.53.0.2; };
};

64
bin/tests/system/dnssec/ns5/named2.conf.in → bin/tests/system/dnssec/ns5/named.conf.j2
View File

@ -13,15 +13,6 @@
// NS5 // NS5
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
options { options {
query-source address 10.53.0.5; query-source address 10.53.0.5;
notify-source 10.53.0.5; notify-source 10.53.0.5;
@ -31,23 +22,56 @@ options {
listen-on { 10.53.0.5; 127.0.0.1; }; listen-on { 10.53.0.5; 127.0.0.1; };
listen-on-v6 { none; }; listen-on-v6 { none; };
recursion yes; recursion yes;
dnssec-validation yes;
}; };
view root { key rndc_key {
match-destinations { 127.0.0.1; }; secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
zone "." { controls {
type primary; inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
file "root.db.signed"; };
{% set revoked_key = revoked_key | default(False) %}
{% set broken_key = broken_key | default(False) %}
{% if revoked_key %}
view root {
match-destinations { 127.0.0.1; };
dnssec-validation no;
zone "." {
type primary;
file "root.db.signed";
};
}; };
};
view other { view other {
include "revoked.conf"; dnssec-validation yes;
include "revoked.conf";
zone "." {
type static-stub;
server-addresses { 127.0.0.1; };
};
};
{% elif broken_key %}
zone "." { zone "." {
type hint;
file "../../_common/root.hint";
};
zone "corp" {
type static-stub; type static-stub;
server-addresses { 127.0.0.1; }; server-addresses { 10.53.0.2; };
}; };
};
include "broken.conf";
{% else %}
zone "." {
type hint;
file "../../_common/root.hint";
};
include "trusted.conf";
{% endif %}

43
bin/tests/system/dnssec/ns5/named1.conf.in
View File

@ -1,43 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS5
options {
query-source address 10.53.0.5;
notify-source 10.53.0.5;
transfer-source 10.53.0.5;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
dnssec-validation yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../_common/root.hint";
};
include "trusted.conf";

0
bin/tests/system/dnssec/ns6/named.conf.in → bin/tests/system/dnssec/ns6/named.conf.j2
View File

0
bin/tests/system/dnssec/ns7/named.conf.in → bin/tests/system/dnssec/ns7/named.conf.j2
View File

0
bin/tests/system/dnssec/ns8/named.conf.in → bin/tests/system/dnssec/ns8/named.conf.j2
View File

5
bin/tests/system/dnssec/ns9/named.conf.in → bin/tests/system/dnssec/ns9/named.conf.j2
View File

@ -24,7 +24,12 @@ options {
recursion yes; recursion yes;
dnssec-validation yes; dnssec-validation yes;
forward only; forward only;
{% set forward_badkey = forward_badkey | default(False) %}
{% if forward_badkey %}
forwarders { 10.53.0.5; };
{% else %}
forwarders { 10.53.0.4; }; forwarders { 10.53.0.4; };
{% endif %}
servfail-ttl 0; servfail-ttl 0;
}; };

11
bin/tests/system/dnssec/setup.sh
View File

@ -16,18 +16,7 @@
set -e set -e
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named1.conf.in ns4/named.conf copy_setports ns4/named1.conf.in ns4/named.conf
copy_setports ns5/named1.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf
copy_setports ns9/named.conf.in ns9/named.conf
( (
cd ns1 cd ns1

129
bin/tests/system/dnssec/tests.sh
View File

@ -1054,33 +1054,6 @@ if [ -x "${DELV}" ]; then
status=$((status + ret)) status=$((status + ret))
fi fi
# Try validating with a bad trusted key.
# This should fail.
echo_i "checking that validation fails with a misconfigured trusted key ($n)"
ret=0
dig_with_opts example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1
grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1
n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
echo_i "checking that negative validation fails with a misconfigured trusted key ($n)"
ret=0
dig_with_opts example. ptr @10.53.0.5 >dig.out.ns5.test$n || ret=1
grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1
n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
echo_i "checking that insecurity proofs fail with a misconfigured trusted key ($n)"
ret=0
dig_with_opts a.insecure.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1
grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1
n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
echo_i "checking that validation fails when key record is missing ($n)" echo_i "checking that validation fails when key record is missing ($n)"
ret=0 ret=0
dig_with_opts a.b.keyless.example. a @10.53.0.4 >dig.out.ns4.test$n || ret=1 dig_with_opts a.b.keyless.example. a @10.53.0.4 >dig.out.ns4.test$n || ret=1
@ -1210,34 +1183,6 @@ n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret)) status=$((status + ret))
# Check that the setting the cd bit works
echo_i "checking cd bit on a positive answer ($n)"
ret=0
dig_with_opts +noauth example. soa @10.53.0.4 \
>dig.out.ns4.test$n || ret=1
dig_with_opts +noauth +cdflag example. soa @10.53.0.5 \
>dig.out.ns5.test$n || ret=1
digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
echo_i "checking cd bit on a negative answer ($n)"
ret=0
dig_with_opts q.example. soa @10.53.0.4 >dig.out.ns4.test$n || ret=1
dig_with_opts +cdflag q.example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1
digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
echo_i "checking insecurity proof works using negative cache ($n)" echo_i "checking insecurity proof works using negative cache ($n)"
ret=0 ret=0
rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
@ -1314,50 +1259,6 @@ n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret)) status=$((status + ret))
echo_i "checking cd bit on a query that should fail ($n)"
ret=0
dig_with_opts a.bogus.example. soa @10.53.0.4 \
>dig.out.ns4.test$n || ret=1
dig_with_opts +cdflag a.bogus.example. soa @10.53.0.5 \
>dig.out.ns5.test$n || ret=1
digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
echo_i "checking cd bit on an insecurity proof ($n)"
ret=0
dig_with_opts +noauth a.insecure.example. soa @10.53.0.4 \
>dig.out.ns4.test$n || ret=1
dig_with_opts +noauth +cdflag a.insecure.example. soa @10.53.0.5 \
>dig.out.ns5.test$n || ret=1
digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
# Note - these are looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
echo_i "checking cd bit on a negative insecurity proof ($n)"
ret=0
dig_with_opts q.insecure.example. a @10.53.0.4 \
>dig.out.ns4.test$n || ret=1
dig_with_opts +cdflag q.insecure.example. a @10.53.0.5 \
>dig.out.ns5.test$n || ret=1
digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
# Note - these are looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
echo_i "checking that validation of an ANY query works ($n)" echo_i "checking that validation of an ANY query works ($n)"
ret=0 ret=0
dig_with_opts +noauth foo.example. any @10.53.0.2 >dig.out.ns2.test$n || ret=1 dig_with_opts +noauth foo.example. any @10.53.0.2 >dig.out.ns2.test$n || ret=1
@ -3961,17 +3862,6 @@ n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret)) status=$((status + ret))
echo_i "checking initialization with a revoked managed key ($n)"
ret=0
copy_setports ns5/named2.conf.in ns5/named.conf
rndccmd 10.53.0.5 reconfig 2>&1 | sed 's/^/ns5 /' | cat_i
sleep 3
dig_with_opts +dnssec @10.53.0.5 SOA . >dig.out.ns5.test$n
grep "status: SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1
n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)" echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)"
ret=0 ret=0
( (
@ -4862,24 +4752,5 @@ n=$((n + 1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret)) status=$((status + ret))
copy_setports ns4/named5.conf.in ns4/named.conf
rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i
sleep 3
echo_i "checking forwarder CD behavior (forward server with bad trust anchor) ($n)"
ret=0
# confirm invalid trust anchor produces SERVFAIL in resolver
$DIG +tcp +dnssec -p "$PORT" @10.53.0.4 a.secure.example >dig.out.ns4.test$n || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1
# check that lookup using forwarder succeeds and that SERVFAIL was received
nextpart ns9/named.run >/dev/null
$DIG +tcp +dnssec -p "$PORT" @10.53.0.9 a.secure.example soa >dig.out.ns9.test$n || ret=1
grep "status: NOERROR" dig.out.ns9.test$n >/dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns9.test$n >/dev/null || ret=1
nextpart ns9/named.run | grep 'status: SERVFAIL' >/dev/null || ret=1
n=$((n + 1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "exit status: $status" echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1 [ $status -eq 0 ] || exit 1

135
bin/tests/system/dnssec/tests_badkey.py Normal file
View File

@ -0,0 +1,135 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
from dns import flags
import isctest
def test_misconfigured_validation():
# check that validation fails with a misconfigured trust anchor
msg = isctest.query.create("example.", "SOA")
res = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.servfail(res)
def test_misconfigured_negative_validation():
# check that negative validation fails with a misconfigured trust anchor
msg = isctest.query.create("example.", "PTR")
res = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.servfail(res)
def test_misconfigured_insecurity():
# check that insecurity proofs fail with a misconfigured trust anchor
msg = isctest.query.create("a.insecure.example.", "A")
res = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.servfail(res)
def test_misconfigured_cd_positive():
# check AD bit of a positive answer with misconfigured trust anchor, CD=1
msg = isctest.query.create("example.", "SOA")
msg.flags |= flags.CD
res = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.noerror(res)
assert (res.flags & flags.AD) == 0
def test_misconfigured_cd_negative():
# check cd bit on a negative answer with misconfigured trust anchor, CD=1
msg = isctest.query.create("q.example.", "SOA")
msg.flags |= flags.CD
res = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.nxdomain(res)
assert (res.flags & flags.AD) == 0
# compare the response from a correctly configured server
res2 = isctest.query.tcp(msg, "10.53.0.4")
isctest.check.nxdomain(res2)
assert (res2.flags & flags.AD) == 0
assert res.answer == res2.answer
def test_misconfigured_cd_bogus():
# check cd bit on a query that should fail
msg = isctest.query.create("a.bogus.example.", "SOA")
msg.flags |= flags.CD
res = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.noerror(res)
assert (res.flags & flags.AD) == 0
# compare the response from a correctly configured server
res2 = isctest.query.tcp(msg, "10.53.0.4")
isctest.check.noerror(res2)
assert (res2.flags & flags.AD) == 0
assert res.answer == res2.answer
def test_misconfigured_cd_insecurity():
# check cd bit on an insecurity proof
msg = isctest.query.create("a.insecure.example.", "SOA")
msg.flags |= flags.CD
res = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.noerror(res)
assert (res.flags & flags.AD) == 0
# compare the response from a correctly configured server
res2 = isctest.query.tcp(msg, "10.53.0.4")
isctest.check.noerror(res2)
assert (res2.flags & flags.AD) == 0
assert res.answer == res2.answer
def test_misconfigured_cd_negative_insecurity():
# check cd bit on an insecurity proof
msg = isctest.query.create("q.insecure.example.", "A")
msg.flags |= flags.CD
res = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.nxdomain(res)
assert (res.flags & flags.AD) == 0
# compare the response from a correctly configured server
res2 = isctest.query.tcp(msg, "10.53.0.4")
isctest.check.nxdomain(res2)
assert (res2.flags & flags.AD) == 0
assert res.answer == res2.answer
def test_revoked_init(servers, templates):
# use a revoked key and try to reiniitialize; check for failure
ns5 = servers["ns5"]
templates.render("ns5/named.conf", {"revoked_key": True})
ns5.reconfigure(log=False)
msg = isctest.query.create(".", "SOA")
res = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.servfail(res)
def test_broken_forwarding(servers, templates):
# check forwarder CD behavior (forward server with bad trust anchor)
ns5 = servers["ns5"]
templates.render("ns5/named.conf", {"broken_key": True})
ns5.reconfigure(log=False)
ns9 = servers["ns9"]
templates.render("ns9/named.conf", {"forward_badkey": True})
ns9.reconfigure(log=False)
# confirm invalid trust anchor produces SERVFAIL in resolver
msg = isctest.query.create("a.secure.example.", "A")
res = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.servfail(res)
# check that lookup involving forwarder succeeds and SERVFAIL was received
with ns9.watch_log_from_here() as watcher:
msg = isctest.query.create("a.secure.example.", "SOA")
res = isctest.query.tcp(msg, "10.53.0.9")
isctest.check.noerror(res)
assert (res.flags & flags.AD) != 0
watcher.wait_for_line("status: SERVFAIL")

5
bin/tests/system/dnssec/tests_sh_dnssec.py
View File

@ -35,6 +35,7 @@ pytestmark = pytest.mark.extra_artifacts(
"*/*.jbk", "*/*.jbk",
"*/*.signed", "*/*.signed",
"*/*.mkeys*", "*/*.mkeys*",
"*/managed-keys.bind",
"ans*/ans.run", "ans*/ans.run",
"ans*/query.log", "ans*/query.log",
"ns1/managed.key.id", "ns1/managed.key.id",
@ -160,12 +161,11 @@ pytestmark = pytest.mark.extra_artifacts(
"ns3/update-nsec3.example.db.signed", "ns3/update-nsec3.example.db.signed",
"ns3/upper.example.db", "ns3/upper.example.db",
"ns3/upper.example.db.lower", "ns3/upper.example.db.lower",
"ns4/broken.conf",
"ns4/managed.conf", "ns4/managed.conf",
"ns4/managed-keys.bind",
"ns4/named.secroots", "ns4/named.secroots",
"ns4/named_dump.db", "ns4/named_dump.db",
"ns4/named_dump.db.*", "ns4/named_dump.db.*",
"ns5/broken.conf",
"ns5/revoked.conf", "ns5/revoked.conf",
"ns6/optout-tld.db", "ns6/optout-tld.db",
"ns7/split-rrsig.db", "ns7/split-rrsig.db",
@ -177,6 +177,7 @@ pytestmark = pytest.mark.extra_artifacts(
"signer/example.db.changed", "signer/example.db.changed",
"signer/example2.db", "signer/example2.db",
"signer/example3.db", "signer/example3.db",
"signer/general/*.jnl",
"signer/general/dnskey.expect", "signer/general/dnskey.expect",
"signer/general/dsset-*", "signer/general/dsset-*",
"signer/general/signed.expect", "signer/general/signed.expect",