diff --git a/bin/tests/system/dsdigest/clean.sh b/bin/tests/system/dsdigest/clean.sh index 34379fd3b8..ba7d9c717f 100644 --- a/bin/tests/system/dsdigest/clean.sh +++ b/bin/tests/system/dsdigest/clean.sh @@ -11,12 +11,10 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -rm -f supported rm -f */K* */dsset-* */*.signed */trusted.conf rm -f ns1/root.db rm -f ns1/signer.err rm -f ns2/good.db ns2/bad.db -rm -f dig.out* rm -f */named.conf rm -f */named.run rm -f */named.memstats diff --git a/bin/tests/system/dsdigest/tests.sh b/bin/tests/system/dsdigest/tests.sh deleted file mode 100644 index 9d9b9669e5..0000000000 --- a/bin/tests/system/dsdigest/tests.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -set -e - -. ../conf.sh - -status=0 - -rm -f dig.out.* - -DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" - -# Check the good. domain - -echo_i "checking that validation with enabled digest types works" -ret=0 -$DIG $DIGOPTS a.good. @10.53.0.3 a >dig.out.good || ret=1 -grep "status: NOERROR" dig.out.good >/dev/null || ret=1 -grep "flags:[^;]* ad[ ;]" dig.out.good >/dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -# Check the bad. domain - -echo_i "checking that validation with no supported digest types and must-be-secure results in SERVFAIL" -ret=0 -$DIG $DIGOPTS a.bad. @10.53.0.3 a >dig.out.bad || ret=1 -grep "SERVFAIL" dig.out.bad >/dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking that validation with no supported digest algorithms results in insecure" -ret=0 -$DIG $DIGOPTS bad. @10.53.0.4 ds >dig.out.ds || ret=1 -grep "NOERROR" dig.out.ds >/dev/null || ret=1 -grep "flags:[^;]* ad[ ;]" dig.out.ds >/dev/null || ret=1 -$DIG $DIGOPTS a.bad. @10.53.0.4 a >dig.out.insecure || ret=1 -grep "NOERROR" dig.out.insecure >/dev/null || ret=1 -grep "flags:[^;]* ad[ ;]" dig.out.insecure >/dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) -echo_i "exit status: $status" - -[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dsdigest/tests_dsdigest.py b/bin/tests/system/dsdigest/tests_dsdigest.py new file mode 100644 index 0000000000..3788003e27 --- /dev/null +++ b/bin/tests/system/dsdigest/tests_dsdigest.py @@ -0,0 +1,55 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import dns.message + +import isctest + + +def test_dsdigest_good(): + """Check that validation with enabled digest types works""" + msg = dns.message.make_query("a.good.", "A", want_dnssec=True) + res = isctest.query.tcp( + msg, + "10.53.0.3", + ) + isctest.check.noerror(res) + assert res.flags & dns.flags.AD + + +def test_dsdigest_bad(): + """Check that validation with not supported digest types + and "dnssec-must-be-secure yes;" results in SERVFAIL""" + msg = dns.message.make_query("a.bad.", "A", want_dnssec=True) + res = isctest.query.tcp( + msg, + "10.53.0.3", + ) + isctest.check.servfail(res) + + +def test_dsdigest_insecure(): + """Check that validation with not supported digest algorithms is insecure""" + msg_ds = dns.message.make_query("bad.", "DS", want_dnssec=True) + res_ds = isctest.query.tcp( + msg_ds, + "10.53.0.4", + ) + isctest.check.noerror(res_ds) + assert res_ds.flags & dns.flags.AD + + msg_a = dns.message.make_query("a.bad.", "A", want_dnssec=True) + res_a = isctest.query.tcp( + msg_a, + "10.53.0.4", + ) + isctest.check.noerror(res_a) + assert not res_a.flags & dns.flags.AD diff --git a/bin/tests/system/dsdigest/tests_sh_dsdigest.py b/bin/tests/system/dsdigest/tests_sh_dsdigest.py deleted file mode 100644 index 348d704739..0000000000 --- a/bin/tests/system/dsdigest/tests_sh_dsdigest.py +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - - -def test_dsdigest(run_tests_sh): - run_tests_sh()