git.ipfire.org Git - thirdparty/bind9.git/commit

author	Nicki Křížek <nicki@isc.org>
	Mon, 13 Apr 2026 12:55:54 +0000 (12:55 +0000)
committer	Mark Andrews <marka@isc.org>
	Thu, 25 Jun 2026 05:21:00 +0000 (15:21 +1000)
commit	a2b9dcff540ff257621997a09d4484651d1c98ed
tree	2cbf43dd94a229695a2aa476e91b5c86d01862ae	tree \| snapshot
parent	95a268f119623f8106f4ed24a39ec180708b5576	commit \| diff

Add dnssec_py/tests_sibling_ds: reject DS for sibling zones in referrals

Add a system test that verifies the resolver rejects DS records whose
owner name does not match the delegation (NS) name in a referral
response.

A custom authoritative server (ans4) serves the parent zone sibling-ds.
from zone file with delegations for child and sibling subzones. Its
DomainHandler injects a DS record for sibling.sibling-ds into referrals
for child.sibling-ds. The resolver must detect the mismatch, log "DS
doesn't match referral (NS)", and return SERVFAIL.

Assisted-by: Claude:claude-opus-4-8

bin/tests/system/dnssec_py/ans4/ans.py	[new file with mode: 0644]	blob
bin/tests/system/dnssec_py/common.py		diff \| blob \| blame \| history
bin/tests/system/dnssec_py/tests_sibling_ds.py	[new file with mode: 0644]	blob