From: Matthijs Mekking Date: Tue, 25 Nov 2025 07:56:32 +0000 (+0100) Subject: Test sending NOTIFY(CDS) messages X-Git-Tag: v9.21.17~21^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e344fe18bcc8ca2204470717ddfe70dbba293c8e;p=thirdparty%2Fbind9.git Test sending NOTIFY(CDS) messages When starting up the services, send notifies for the existing CDS RRset. This requires setting up a chain of trust for the test, so the DSYNC records can be retrieved and validated. This feature requires enabling 'notify-cds' and 'dnssec-validation'. In this test, the scanner is pointed to ns2. Since there is no code for receiving NOTIFY(CDS) messages for delegations, this is treated as "not authoritative". Checking for this log message ensures us that the NOTIFY(CDS) message was actually sent. --- diff --git a/bin/tests/system/multisigner/ns1/named.conf.j2 b/bin/tests/system/multisigner/ns1/named.conf.j2 new file mode 100644 index 00000000000..86cd34ca3a2 --- /dev/null +++ b/bin/tests/system/multisigner/ns1/named.conf.j2 @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/multisigner/ns1/root.db.in b/bin/tests/system/multisigner/ns1/root.db.in new file mode 100644 index 00000000000..395e28089ec --- /dev/null +++ b/bin/tests/system/multisigner/ns1/root.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +multisigner. NS ns2.multisigner. +ns2.multisigner. A 10.53.0.2 + +secondary. NS ns2.secondary. +ns2.secondary. A 10.53.0.2 diff --git a/bin/tests/system/multisigner/ns1/setup.sh b/bin/tests/system/multisigner/ns1/setup.sh new file mode 100644 index 00000000000..293f6ff1923 --- /dev/null +++ b/bin/tests/system/multisigner/ns1/setup.sh @@ -0,0 +1,41 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +set -e + +zone=. +infile=root.db.in +zonefile=root.db + +echo_i "ns1/setup.sh" + +for tld in multisigner secondary; do + cp "../ns2/dsset-${tld}." . +done + +KSK=$($KEYGEN -q -fk -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone) + +cat $infile $KSK.key $ZSK.key >$zonefile + +$SIGNER -g -o $zone $zonefile >/dev/null 2>&1 + +# Configure the resolving server with a static key. +keyfile_to_static_ds "$KSK" >trusted.conf +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf +cp trusted.conf ../ns4/trusted.conf +cp trusted.conf ../ns5/trusted.conf diff --git a/bin/tests/system/multisigner/ns2/multisigner.db.in.j2 b/bin/tests/system/multisigner/ns2/multisigner.db.in.j2 new file mode 100644 index 00000000000..db9c07981c4 --- /dev/null +++ b/bin/tests/system/multisigner/ns2/multisigner.db.in.j2 @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +$ORIGIN multisigner. + +multisigner. IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 + +scanner A 10.53.0.2 + +model2 NS ns3 + NS ns4 + +ns3.model2 A 10.53.0.3 +ns4.model2 A 10.53.0.4 + +*._dsync DSYNC CDS NOTIFY @PORT@ scanner diff --git a/bin/tests/system/multisigner/ns2/named.conf.j2 b/bin/tests/system/multisigner/ns2/named.conf.j2 new file mode 100644 index 00000000000..951c840d495 --- /dev/null +++ b/bin/tests/system/multisigner/ns2/named.conf.j2 @@ -0,0 +1,53 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + allow-notify { 10.53.0.3; 10.53.0.4; }; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "multisigner" { + type primary; + file "multisigner.db.signed"; +}; + +zone "secondary" { + type primary; + file "secondary.db.signed"; +}; + +zone "." { + type hint; + file "../../_common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/multisigner/ns2/secondary.db.in.j2 b/bin/tests/system/multisigner/ns2/secondary.db.in.j2 new file mode 100644 index 00000000000..d108187ff21 --- /dev/null +++ b/bin/tests/system/multisigner/ns2/secondary.db.in.j2 @@ -0,0 +1,36 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +$ORIGIN secondary. + +secondary. IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 + +scanner A 10.53.0.2 + +model2 NS ns3 + NS ns4 + +ns3.model2 A 10.53.0.3 +ns4.model2 A 10.53.0.4 + +model2._dsync DSYNC CSYNC NOTIFY @PORT@ scanner ; ignored, unknown rrtype +model2._dsync DSYNC DSYNC NOTIFY @PORT@ scanner ; ignored, bad rrtype +model2._dsync DSYNC CDS NOTIFY @PORT@ scanner diff --git a/bin/tests/system/multisigner/ns2/setup.sh b/bin/tests/system/multisigner/ns2/setup.sh new file mode 100644 index 00000000000..025c5d32047 --- /dev/null +++ b/bin/tests/system/multisigner/ns2/setup.sh @@ -0,0 +1,38 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns2/setup.sh" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + infile="${zone}.db.in" + zonefile="${zone}.db" + + cp ../ns3/dsset-ns3-model2.$zone. . + cp ../ns4/dsset-ns4-model2.$zone. . + + KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 -f KSK $zone) + ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zone) + $DSFROMKEY $KSK.key >dsset-ns2-${zone}. + + cat $infile $KSK.key $ZSK.key >$zonefile + $SIGNER -g -o $zone $zonefile + # >/dev/null 2>&1 +} + +setup "multisigner" +setup "secondary" diff --git a/bin/tests/system/multisigner/ns3/named.conf.j2 b/bin/tests/system/multisigner/ns3/named.conf.j2 index 7cf25bbc448..fc51c882f42 100644 --- a/bin/tests/system/multisigner/ns3/named.conf.j2 +++ b/bin/tests/system/multisigner/ns3/named.conf.j2 @@ -24,9 +24,9 @@ options { listen-on { 10.53.0.3; }; listen-on-v6 { none; }; allow-transfer { any; }; - recursion no; key-directory "."; - dnssec-validation no; + dnssec-validation yes; + notify-cds yes; }; key rndc_key { @@ -52,4 +52,12 @@ zone "model2.secondary." { file "model2.secondary.db"; dnssec-policy model2; inline-signing yes; + notify no; }; + +zone "." { + type hint; + file "../../_common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/multisigner/ns3/setup.sh b/bin/tests/system/multisigner/ns3/setup.sh index 80327a1300c..2194f4e8d8b 100644 --- a/bin/tests/system/multisigner/ns3/setup.sh +++ b/bin/tests/system/multisigner/ns3/setup.sh @@ -23,20 +23,20 @@ zsktimes="-P now -A now" zone="model2.multisigner" echo_i "setting up zone: $zone" zonefile="${zone}.db" - -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone 2>keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone) $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 +$DSFROMKEY $KSK.key >dsset-ns3-${zone}. zone="model2.secondary" echo_i "setting up zone: $zone" zonefile="${zone}.db" cp "../ns5/${zonefile}.in" "$zonefile" - -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone 2>keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone) $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 +$DSFROMKEY $KSK.key >dsset-ns3-${zone}. # ZSK will be added to the other provider with nsupdate. cat "${ZSK}.key" | grep -v ";.*" >"${zone}.zsk" diff --git a/bin/tests/system/multisigner/ns4/named.conf.j2 b/bin/tests/system/multisigner/ns4/named.conf.j2 index 3f36f76cd57..017dd6c50af 100644 --- a/bin/tests/system/multisigner/ns4/named.conf.j2 +++ b/bin/tests/system/multisigner/ns4/named.conf.j2 @@ -24,9 +24,9 @@ options { listen-on { 10.53.0.4; }; listen-on-v6 { none; }; allow-transfer { any; }; - recursion no; key-directory "."; - dnssec-validation no; + dnssec-validation yes; + notify-cds yes; }; key rndc_key { @@ -52,4 +52,12 @@ zone "model2.secondary." { file "model2.secondary.db"; dnssec-policy model2; inline-signing yes; + notify no; }; + +zone "." { + type hint; + file "../../_common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/multisigner/ns4/setup.sh b/bin/tests/system/multisigner/ns4/setup.sh index c58ddce4954..d50d3bd26c0 100644 --- a/bin/tests/system/multisigner/ns4/setup.sh +++ b/bin/tests/system/multisigner/ns4/setup.sh @@ -23,20 +23,20 @@ zsktimes="-P now -A now" zone="model2.multisigner" echo_i "setting up zone: $zone" zonefile="${zone}.db" - -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone 2>keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone) $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 +$DSFROMKEY $KSK.key >dsset-ns4-${zone}. zone="model2.secondary" echo_i "setting up zone: $zone" zonefile="${zone}.db" cp "../ns5/${zonefile}.in" "$zonefile" - -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone 2>keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone) $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 +$DSFROMKEY $KSK.key >dsset-ns4-${zone}. # ZSK will be added to the other provider with nsupdate. cat "${ZSK}.key" | grep -v ";.*" >"${zone}.zsk" diff --git a/bin/tests/system/multisigner/ns5/named.conf.j2 b/bin/tests/system/multisigner/ns5/named.conf.j2 index eeae1309c5e..f6cf15e9914 100644 --- a/bin/tests/system/multisigner/ns5/named.conf.j2 +++ b/bin/tests/system/multisigner/ns5/named.conf.j2 @@ -24,7 +24,6 @@ options { listen-on { 10.53.0.5; }; listen-on-v6 { none; }; allow-transfer { any; }; - recursion no; key-directory "."; dnssec-validation no; notify-delay 0; @@ -44,3 +43,10 @@ zone "model2.secondary." { allow-update { any; }; file "model2.secondary.db"; }; + +zone "." { + type hint; + file "../../_common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/multisigner/setup.sh b/bin/tests/system/multisigner/setup.sh index af724609177..12d7073d264 100644 --- a/bin/tests/system/multisigner/setup.sh +++ b/bin/tests/system/multisigner/setup.sh @@ -16,6 +16,7 @@ set -e +# multi-signers ( cd ns3 $SHELL setup.sh @@ -28,3 +29,13 @@ set -e cd ns5 $SHELL setup.sh ) +# tld +( + cd ns2 + $SHELL setup.sh +) +# root +( + cd ns1 + $SHELL setup.sh +) diff --git a/bin/tests/system/multisigner/tests_multisigner.py b/bin/tests/system/multisigner/tests_multisigner.py index 6fdb177bd9f..bc53c249750 100644 --- a/bin/tests/system/multisigner/tests_multisigner.py +++ b/bin/tests/system/multisigner/tests_multisigner.py @@ -33,16 +33,20 @@ pytestmark = pytest.mark.extra_artifacts( "secondary.cds.ns*", "unused.*", "verify.out.*", - "ns*/K*", - "ns*/db-*", - "ns*/keygen.out.*", + "ns*/*.db", + "ns*/*.db.in", "ns*/*.jbk", "ns*/*.jnl", - "ns*/*.zsk", - "ns*/*.signed", "ns*/*.journal.out.*", + "ns*/*.signed", + "ns*/*.zsk", + "ns*/db-*", + "ns*/dsset-*", + "ns*/K*", + "ns*/keygen.out.*", + "ns*/managed-keys.bind*", "ns*/settime.out.*", - "ns*/model2.secondary.db", + "ns*/trusted.conf", ] ) @@ -503,7 +507,7 @@ def check_remove_cds( check_dnssec(server, zone, keys, expected) -def test_multisigner(ns3, ns4): +def test_multisigner(ns2, ns3, ns4): zone = "model2.multisigner" keyprops = [ f"ksk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent", @@ -515,6 +519,23 @@ def test_multisigner(ns3, ns4): isctest.kasp.wait_keymgr_done(ns3, zone) isctest.kasp.wait_keymgr_done(ns4, zone) + with ns3.watch_log_from_start() as watcher: + watcher.wait_for_line( + f"zone {zone}/IN: dsyncfetch: send NOTIFY(CDS) query to scanner.multisigner" + ) + + with ns4.watch_log_from_start() as watcher: + watcher.wait_for_line( + f"zone {zone}/IN (signed): dsyncfetch: send NOTIFY(CDS) query to scanner.multisigner" + ) + + with ns2.watch_log_from_start() as watcher: + # Receiving NOTIFY(CDS) has not been implemented yet. Until + # then, notifies for child zones towards the parent result in + # not authoritative (unless child and parent are served by the + # same name server). + watcher.wait_for_line(f"received notify for zone '{zone}': NOTAUTH") + keys3 = isctest.kasp.keydir_to_keylist(zone, ns3.identifier) ksks3 = [k for k in keys3 if k.is_ksk()] zsks3 = [k for k in keys3 if not k.is_ksk()] @@ -574,7 +595,7 @@ def test_multisigner(ns3, ns4): check_no_dnssec_in_journal(ns4, zone) -def test_multisigner_secondary(ns3, ns4, ns5): +def test_multisigner_secondary(ns2, ns3, ns4, ns5): zone = "model2.secondary" keyprops = [ f"ksk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent", @@ -586,6 +607,24 @@ def test_multisigner_secondary(ns3, ns4, ns5): isctest.kasp.wait_keymgr_done(ns3, zone) isctest.kasp.wait_keymgr_done(ns4, zone) + for server in [ns3, ns4]: + with server.watch_log_from_start() as watcher: + watcher.wait_for_line( + f"zone {zone}/IN (signed): dsyncfetch: send NOTIFY(CDS) query to scanner.secondary" + ) + + msg = f"zone {zone}/IN (signed): dsyncfetch: DSYNC RRtype CSYNC not supported, ignoring" + assert msg in server.log + msg = f"zone {zone}/IN (signed): dsyncfetch: DSYNC RRtype DSYNC not supported, ignoring" + assert msg in server.log + + with ns2.watch_log_from_start() as watcher: + # Receiving NOTIFY(CDS) has not been implemented yet. Until + # then, notifies for child zones towards the parent result in + # not authoritative (unless child and parent are served by the + # same name server). + watcher.wait_for_line(f"received notify for zone '{zone}': NOTAUTH") + keys3 = isctest.kasp.keydir_to_keylist(zone, ns3.identifier) ksks3 = [k for k in keys3 if k.is_ksk()] zsks3 = [k for k in keys3 if not k.is_ksk()]