Test secure chain that includes inactive KSK

Add a regression test case for the scenario where a secure chain of trust includes an inactive KSK, that is a KSK that is not signing the DNSKEY RRset.
2025-08-30 14:07:59 +00:00 · 2024-03-11 11:52:03 +01:00
parent 28536786de
commit f0bfd276e0
6 changed files with 90 additions and 0 deletions
--- a/bin/tests/system/dnssec/ns1/root.db.in
+++ b/bin/tests/system/dnssec/ns1/root.db.in
@@ -28,6 +28,8 @@ managed.		NS	ns2.managed.
 ns2.managed.		A	10.53.0.2
 trusted.		NS	ns2.trusted.
 ns2.trusted.		A	10.53.0.2
+lazy-ksk.		NS	ns2.lazy-ksk.
+ns2.lazy-ksk.		A	10.53.0.2
 optout-tld		NS	ns6.optout-tld.
 ns6.optout-tld.		A	10.53.0.6
 in-addr.arpa.		NS	ns2.example.
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -29,6 +29,7 @@ echo_i "ns1/sign.sh"
 cp "../ns2/dsset-example." .
 cp "../ns2/dsset-in-addr.arpa." .
 cp "../ns2/dsset-too-many-iterations." .
+cp "../ns2/dsset-lazy-ksk." .

 grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll."
 cp "../ns6/dsset-optout-tld." .
--- a/bin/tests/system/dnssec/ns2/lazy-ksk.db.in
+++ b/bin/tests/system/dnssec/ns2/lazy-ksk.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				30       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+*.a			A	10.0.0.3
+b			A	10.0.0.2
+d			A	10.0.0.4
--- a/bin/tests/system/dnssec/ns2/named.conf.in
+++ b/bin/tests/system/dnssec/ns2/named.conf.in
@@ -206,4 +206,11 @@ zone "too-many-iterations" {
 	file "too-many-iterations.db.signed";
 };

+zone "lazy-ksk" {
+	type primary;
+	file "lazy-ksk.db";
+	dnssec-policy "dnssec";
+	allow-update { any; };
+};
+
 include "trusted.conf";
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -312,3 +312,44 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
 "$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1
+
+#
+# A zone with a secure chain of trust of two KSKs, only one KSK is not signing.
+#
+zone=lazy-ksk
+infile=lazy-ksk.db.in
+zonefile=lazy-ksk.db
+ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+ksk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$ksk1.key" "$ksk2.key" "$ksk3.key" "$zsk.key" >"$zonefile"
+$DSFROMKEY "$ksk1.key" >"dsset-$zone."
+$DSFROMKEY "$ksk2.key" >>"dsset-$zone."
+$DSFROMKEY "$ksk3.key" >>"dsset-$zone."
+# Keep the KSK with the highest key tag
+id1=$(keyfile_to_key_id "$ksk1")
+id2=$(keyfile_to_key_id "$ksk2")
+id3=$(keyfile_to_key_id "$ksk3")
+if [ $id1 -gt $id2 ]; then
+  if [ $id1 -gt $id3 ]; then
+    rm1="$ksk2"
+    rm2="$ksk3"
+  else # id3 -gt $id1
+    rm1="$ksk2"
+    rm2="$ksk1"
+  fi
+else # $id2 -gt $id1
+  if [ $id2 -gt $id3 ]; then
+    rm1="$ksk1"
+    rm2="$ksk3"
+  else #id3 -gt $id2
+    rm1="$ksk2"
+    rm2="$ksk1"
+  fi
+fi
+
+rm "$rm1.key"
+rm "$rm1.private"
+rm "$rm2.key"
+rm "$rm2.private"
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3664,6 +3664,18 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))

+# Check that a query for a domain that has a KSK that is not actively signing
+# the DNSKEY RRset. This should not result in a broken trust chain if there is
+# another KSK that is signing the DNSKEY RRset.
+echo_i "checking that a secure chain with one active and one inactive KSK validates as secure ($n)"
+ret=0
+dig_with_opts @10.53.0.4 a.lazy-ksk A >dig.out.ns4.test$n
+grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
 # TODO: test case for GL #1689.
 # If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5)
 # we could write a test that signs a zone with supported and unsupported