start converting dnssec system test to python/jinja2

- changed named.conf.in to named.conf.j2 in all server directories that
  don't currently need to use copy_setports() during the test.
- converted the tests that use ns5 to python, and replaced
  named1.conf.in and named2.conf.in with a jinja2 template instead.
  the only remaining server that still needs copy_setports() is ns4.
- removed ns4/named5.conf.in, and moved its functions to ns5 (which
  is supposed to be for servers with broken trust-anchor configurations,
  so it should have been there in the first place). converted the tests
  that used that ns4 configuration to use ns5 with jinja instead.
- revised the remaining ns4 configurations (named[1-4].conf.in) to
  minimize the differences between them. this will make it easier to
  convert it into a jinja2 template later.

bin/tests/system/dnssec/ns1/sign.sh

@@ -45,7 +45,7 @@ cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
 
 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
 
-# Configure the resolving server with a staitc key.
+# Configure the resolving server with a static key.
 keyfile_to_static_ds "$ksk" >trusted.conf
 cp trusted.conf ../ns2/trusted.conf
 cp trusted.conf ../ns3/trusted.conf
@@ -70,4 +70,4 @@ keyfile_to_key_id "$ksk" >managed.key.id
 # Also generate a broken trusted-keys file for the dnssec test.
 #
 broken=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" .)
-keyfile_to_static_ds "$broken" >../ns4/broken.conf
+keyfile_to_static_ds "$broken" >../ns5/broken.conf

bin/tests/system/dnssec/ns4/named1.conf.in

@@ -22,26 +22,23 @@ options {
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	recursion yes;
-	dnssec-validation yes;
 	minimal-responses no;
 
 	nta-lifetime 12s;
 	nta-recheck 9s;
 	validate-except { corp; };
 
-	disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
-	disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
-	disable-ds-digests "ds-unsupported.example." {"SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
-	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
-
 	# Note: We only reference the bind.keys file here to confirm that it
 	# is *not* being used.  It contains the real root key, and we're
 	# using a local toy root zone for the tests, so it wouldn't work.
 	# But since dnssec-validation is set to "yes" not "auto", that
 	# won't matter.
+	dnssec-validation yes;
 	bindkeys-file "../../../../../bind.keys";
 };
 
+include "trusted.conf";
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
@@ -60,5 +57,3 @@ zone "corp" {
 	type static-stub;
 	server-addresses { 10.53.0.2; };
 };
-
-include "trusted.conf";

bin/tests/system/dnssec/ns4/named2.conf.in

@@ -22,13 +22,14 @@ options {
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	recursion yes;
+	minimal-responses no;
+
+	nta-lifetime 12s;
+	nta-recheck 9s;
+	validate-except { corp; };
+
 	dnssec-validation auto;
 	bindkeys-file "managed.conf";
-	minimal-responses no;
-	disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
-	disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";  };
-	disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
-	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
 };
 
 key rndc_key {
@@ -44,3 +45,8 @@ zone "." {
 	type hint;
 	file "../../_common/root.hint";
 };
+
+zone "corp" {
+	type static-stub;
+	server-addresses { 10.53.0.2; };
+};

bin/tests/system/dnssec/ns4/named3.conf.in

@@ -22,16 +22,17 @@ options {
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	recursion yes;
-	dnssec-validation auto;
-	bindkeys-file "managed.conf";
-	dnssec-accept-expired yes;
 	minimal-responses no;
+
+	nta-lifetime 12s;
+	nta-recheck 9s;
+	validate-except { corp; };
+
+	dnssec-accept-expired yes;
 	servfail-ttl 0;
 
-	disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
-	disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";};
-	disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
-	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+	dnssec-validation auto;
+	bindkeys-file "managed.conf";
 };
 
 key rndc_key {
@@ -47,3 +48,8 @@ zone "." {
 	type hint;
 	file "../../_common/root.hint";
 };
+
+zone "corp" {
+	type static-stub;
+	server-addresses { 10.53.0.2; };
+};

bin/tests/system/dnssec/ns4/named4.conf.in

@@ -21,6 +21,11 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	minimal-responses no;
+
+	nta-lifetime 12s;
+	nta-recheck 9s;
+
 	disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
 	disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
 	disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
@@ -41,14 +46,14 @@ key auth {
 	algorithm @DEFAULT_HMAC@;
 };
 
-include "trusted.conf";
-
 view rec {
 	match-recursive-only yes;
 	recursion yes;
-	dnssec-validation yes;
 	dnssec-accept-expired yes;
 	minimal-responses no;
+	dnssec-validation yes;
+
+	include "trusted.conf";
 
 	zone "." {
 		type hint;
@@ -69,6 +74,7 @@ view rec {
 view auth {
 	recursion no;
 	allow-recursion { none; };
+	dnssec-validation no;
 
 	zone "." {
 		type hint;

bin/tests/system/dnssec/ns4/named5.conf.in

@@ -1,54 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0.  If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-// NS4
-
-options {
-	query-source address 10.53.0.4;
-	notify-source 10.53.0.4;
-	transfer-source 10.53.0.4;
-	port @PORT@;
-	pid-file "named.pid";
-	listen-on { 10.53.0.4; };
-	listen-on-v6 { none; };
-	recursion yes;
-	dnssec-validation yes;
-	minimal-responses no;
-
-};
-
-# Note: This contains a deliberately incorrect key,
-# so it won't work with the root zones used in the tests;
-# all signed data should SERVFAIL. This is to test the case
-# of a validating forwarder talking to a resolver that has
-# a misconfigured trust anchor.
-include "broken.conf";
-
-key rndc_key {
-	secret "1234abcd8765";
-	algorithm @DEFAULT_HMAC@;
-};
-
-controls {
-	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-zone "." {
-	type hint;
-	file "../../_common/root.hint";
-};
-
-zone "corp" {
-	type static-stub;
-	server-addresses { 10.53.0.2; };
-};

bin/tests/system/dnssec/ns5/named.conf.j2

@@ -13,15 +13,6 @@
 
 // NS5
 
-key rndc_key {
-	secret "1234abcd8765";
-	algorithm @DEFAULT_HMAC@;
-};
-
-controls {
-	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
 options {
 	query-source address 10.53.0.5;
 	notify-source 10.53.0.5;
@@ -31,23 +22,56 @@ options {
 	listen-on { 10.53.0.5; 127.0.0.1; };
 	listen-on-v6 { none; };
 	recursion yes;
-	dnssec-validation yes;
 };
 
-view root {
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+{% set revoked_key = revoked_key | default(False) %}
+{% set broken_key = broken_key | default(False) %}
+{% if revoked_key %}
+	view root {
 		match-destinations { 127.0.0.1; };
+		dnssec-validation no;
 
 		zone "." {
 			type primary;
 			file "root.db.signed";
 		};
-};
+	};
 
-view other {
-include "revoked.conf";
+	view other {
+		dnssec-validation yes;
+		include "revoked.conf";
 
 		zone "." {
 			type static-stub;
 			server-addresses { 127.0.0.1; };
 		};
-};
+	};
+{% elif broken_key %}
+	zone "." {
+		type hint;
+		file "../../_common/root.hint";
+	};
+
+	zone "corp" {
+		type static-stub;
+		server-addresses { 10.53.0.2; };
+	};
+
+	include "broken.conf";
+{% else %}
+	zone "." {
+		type hint;
+		file "../../_common/root.hint";
+	};
+
+	include "trusted.conf";
+{% endif %}

bin/tests/system/dnssec/ns5/named1.conf.in

@@ -1,43 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0.  If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-// NS5
-
-options {
-	query-source address 10.53.0.5;
-	notify-source 10.53.0.5;
-	transfer-source 10.53.0.5;
-	port @PORT@;
-	pid-file "named.pid";
-	listen-on { 10.53.0.5; };
-	listen-on-v6 { none; };
-	recursion yes;
-	dnssec-validation yes;
-};
-
-key rndc_key {
-	secret "1234abcd8765";
-	algorithm @DEFAULT_HMAC@;
-};
-
-controls {
-	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-
-zone "." {
-	type hint;
-	file "../../_common/root.hint";
-};
-
-include "trusted.conf";

bin/tests/system/dnssec/ns9/named.conf.j2

@@ -24,7 +24,12 @@ options {
 	recursion yes;
 	dnssec-validation yes;
 	forward only;
+{% set forward_badkey = forward_badkey | default(False) %}
+{% if forward_badkey %}
+	forwarders { 10.53.0.5; };
+{% else %}
 	forwarders { 10.53.0.4; };
+{% endif %}
 	servfail-ttl 0;
 };
 

bin/tests/system/dnssec/setup.sh

@@ -16,18 +16,7 @@
 
 set -e
 
-copy_setports ns1/named.conf.in ns1/named.conf
-copy_setports ns2/named.conf.in ns2/named.conf
-copy_setports ns3/named.conf.in ns3/named.conf
-
 copy_setports ns4/named1.conf.in ns4/named.conf
-copy_setports ns5/named1.conf.in ns5/named.conf
-
-copy_setports ns6/named.conf.in ns6/named.conf
-copy_setports ns7/named.conf.in ns7/named.conf
-copy_setports ns8/named.conf.in ns8/named.conf
-
-copy_setports ns9/named.conf.in ns9/named.conf
 
 (
   cd ns1

bin/tests/system/dnssec/tests.sh

@@ -1054,33 +1054,6 @@ if [ -x "${DELV}" ]; then
   status=$((status + ret))
 fi
 
-# Try validating with a bad trusted key.
-# This should fail.
-
-echo_i "checking that validation fails with a misconfigured trusted key ($n)"
-ret=0
-dig_with_opts example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1
-grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking that negative validation fails with a misconfigured trusted key ($n)"
-ret=0
-dig_with_opts example. ptr @10.53.0.5 >dig.out.ns5.test$n || ret=1
-grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking that insecurity proofs fail with a misconfigured trusted key ($n)"
-ret=0
-dig_with_opts a.insecure.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1
-grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
 echo_i "checking that validation fails when key record is missing ($n)"
 ret=0
 dig_with_opts a.b.keyless.example. a @10.53.0.4 >dig.out.ns4.test$n || ret=1
@@ -1210,34 +1183,6 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
 
-# Check that the setting the cd bit works
-
-echo_i "checking cd bit on a positive answer ($n)"
-ret=0
-dig_with_opts +noauth example. soa @10.53.0.4 \
-  >dig.out.ns4.test$n || ret=1
-dig_with_opts +noauth +cdflag example. soa @10.53.0.5 \
-  >dig.out.ns5.test$n || ret=1
-digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
-# Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking cd bit on a negative answer ($n)"
-ret=0
-dig_with_opts q.example. soa @10.53.0.4 >dig.out.ns4.test$n || ret=1
-dig_with_opts +cdflag q.example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1
-digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
-# Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
 echo_i "checking insecurity proof works using negative cache ($n)"
 ret=0
 rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
@@ -1314,50 +1259,6 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
 
-echo_i "checking cd bit on a query that should fail ($n)"
-ret=0
-dig_with_opts a.bogus.example. soa @10.53.0.4 \
-  >dig.out.ns4.test$n || ret=1
-dig_with_opts +cdflag a.bogus.example. soa @10.53.0.5 \
-  >dig.out.ns5.test$n || ret=1
-digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
-# Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking cd bit on an insecurity proof ($n)"
-ret=0
-dig_with_opts +noauth a.insecure.example. soa @10.53.0.4 \
-  >dig.out.ns4.test$n || ret=1
-dig_with_opts +noauth +cdflag a.insecure.example. soa @10.53.0.5 \
-  >dig.out.ns5.test$n || ret=1
-digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
-# Note - these are looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking cd bit on a negative insecurity proof ($n)"
-ret=0
-dig_with_opts q.insecure.example. a @10.53.0.4 \
-  >dig.out.ns4.test$n || ret=1
-dig_with_opts +cdflag q.insecure.example. a @10.53.0.5 \
-  >dig.out.ns5.test$n || ret=1
-digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
-grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
-# Note - these are looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
 echo_i "checking that validation of an ANY query works ($n)"
 ret=0
 dig_with_opts +noauth foo.example. any @10.53.0.2 >dig.out.ns2.test$n || ret=1
@@ -3961,17 +3862,6 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
 
-echo_i "checking initialization with a revoked managed key ($n)"
-ret=0
-copy_setports ns5/named2.conf.in ns5/named.conf
-rndccmd 10.53.0.5 reconfig 2>&1 | sed 's/^/ns5 /' | cat_i
-sleep 3
-dig_with_opts +dnssec @10.53.0.5 SOA . >dig.out.ns5.test$n
-grep "status: SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
 echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)"
 ret=0
 (
@@ -4862,24 +4752,5 @@ n=$((n + 1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-copy_setports ns4/named5.conf.in ns4/named.conf
-rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i
-sleep 3
-
-echo_i "checking forwarder CD behavior (forward server with bad trust anchor) ($n)"
-ret=0
-# confirm invalid trust anchor produces SERVFAIL in resolver
-$DIG +tcp +dnssec -p "$PORT" @10.53.0.4 a.secure.example >dig.out.ns4.test$n || ret=1
-grep "status: SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1
-# check that lookup using forwarder succeeds and that SERVFAIL was received
-nextpart ns9/named.run >/dev/null
-$DIG +tcp +dnssec -p "$PORT" @10.53.0.9 a.secure.example soa >dig.out.ns9.test$n || ret=1
-grep "status: NOERROR" dig.out.ns9.test$n >/dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns9.test$n >/dev/null || ret=1
-nextpart ns9/named.run | grep 'status: SERVFAIL' >/dev/null || ret=1
-n=$((n + 1))
-if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

bin/tests/system/dnssec/tests_badkey.py

@@ -0,0 +1,135 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from dns import flags
+
+import isctest
+
+
+def test_misconfigured_validation():
+    # check that validation fails with a misconfigured trust anchor
+    msg = isctest.query.create("example.", "SOA")
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.servfail(res)
+
+
+def test_misconfigured_negative_validation():
+    # check that negative validation fails with a misconfigured trust anchor
+    msg = isctest.query.create("example.", "PTR")
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.servfail(res)
+
+
+def test_misconfigured_insecurity():
+    # check that insecurity proofs fail with a misconfigured trust anchor
+    msg = isctest.query.create("a.insecure.example.", "A")
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.servfail(res)
+
+
+def test_misconfigured_cd_positive():
+    # check AD bit of a positive answer with misconfigured trust anchor, CD=1
+    msg = isctest.query.create("example.", "SOA")
+    msg.flags |= flags.CD
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.noerror(res)
+    assert (res.flags & flags.AD) == 0
+
+
+def test_misconfigured_cd_negative():
+    # check cd bit on a negative answer with misconfigured trust anchor, CD=1
+    msg = isctest.query.create("q.example.", "SOA")
+    msg.flags |= flags.CD
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.nxdomain(res)
+    assert (res.flags & flags.AD) == 0
+    # compare the response from a correctly configured server
+    res2 = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.nxdomain(res2)
+    assert (res2.flags & flags.AD) == 0
+    assert res.answer == res2.answer
+
+
+def test_misconfigured_cd_bogus():
+    # check cd bit on a query that should fail
+    msg = isctest.query.create("a.bogus.example.", "SOA")
+    msg.flags |= flags.CD
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.noerror(res)
+    assert (res.flags & flags.AD) == 0
+    # compare the response from a correctly configured server
+    res2 = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.noerror(res2)
+    assert (res2.flags & flags.AD) == 0
+    assert res.answer == res2.answer
+
+
+def test_misconfigured_cd_insecurity():
+    # check cd bit on an insecurity proof
+    msg = isctest.query.create("a.insecure.example.", "SOA")
+    msg.flags |= flags.CD
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.noerror(res)
+    assert (res.flags & flags.AD) == 0
+    # compare the response from a correctly configured server
+    res2 = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.noerror(res2)
+    assert (res2.flags & flags.AD) == 0
+    assert res.answer == res2.answer
+
+
+def test_misconfigured_cd_negative_insecurity():
+    # check cd bit on an insecurity proof
+    msg = isctest.query.create("q.insecure.example.", "A")
+    msg.flags |= flags.CD
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.nxdomain(res)
+    assert (res.flags & flags.AD) == 0
+    # compare the response from a correctly configured server
+    res2 = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.nxdomain(res2)
+    assert (res2.flags & flags.AD) == 0
+    assert res.answer == res2.answer
+
+
+def test_revoked_init(servers, templates):
+    # use a revoked key and try to reiniitialize; check for failure
+    ns5 = servers["ns5"]
+    templates.render("ns5/named.conf", {"revoked_key": True})
+    ns5.reconfigure(log=False)
+
+    msg = isctest.query.create(".", "SOA")
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.servfail(res)
+
+
+def test_broken_forwarding(servers, templates):
+    # check forwarder CD behavior (forward server with bad trust anchor)
+    ns5 = servers["ns5"]
+    templates.render("ns5/named.conf", {"broken_key": True})
+    ns5.reconfigure(log=False)
+
+    ns9 = servers["ns9"]
+    templates.render("ns9/named.conf", {"forward_badkey": True})
+    ns9.reconfigure(log=False)
+
+    # confirm invalid trust anchor produces SERVFAIL in resolver
+    msg = isctest.query.create("a.secure.example.", "A")
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.servfail(res)
+
+    # check that lookup involving forwarder succeeds and SERVFAIL was received
+    with ns9.watch_log_from_here() as watcher:
+        msg = isctest.query.create("a.secure.example.", "SOA")
+        res = isctest.query.tcp(msg, "10.53.0.9")
+        isctest.check.noerror(res)
+        assert (res.flags & flags.AD) != 0
+        watcher.wait_for_line("status: SERVFAIL")

bin/tests/system/dnssec/tests_sh_dnssec.py

@@ -35,6 +35,7 @@ pytestmark = pytest.mark.extra_artifacts(
         "*/*.jbk",
         "*/*.signed",
         "*/*.mkeys*",
+        "*/managed-keys.bind",
         "ans*/ans.run",
         "ans*/query.log",
         "ns1/managed.key.id",
@@ -160,12 +161,11 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns3/update-nsec3.example.db.signed",
         "ns3/upper.example.db",
         "ns3/upper.example.db.lower",
-        "ns4/broken.conf",
         "ns4/managed.conf",
-        "ns4/managed-keys.bind",
         "ns4/named.secroots",
         "ns4/named_dump.db",
         "ns4/named_dump.db.*",
+        "ns5/broken.conf",
         "ns5/revoked.conf",
         "ns6/optout-tld.db",
         "ns7/split-rrsig.db",
@@ -177,6 +177,7 @@ pytestmark = pytest.mark.extra_artifacts(
         "signer/example.db.changed",
         "signer/example2.db",
         "signer/example3.db",
+        "signer/general/*.jnl",
         "signer/general/dnskey.expect",
         "signer/general/dsset-*",
         "signer/general/signed.expect",