Test zone with truncated revoked DNSKEY

Ensure that named can handle a situation where the zone is signed with a
truncated, self-signed revoked DNSKEY. The signatures are inevitably
bogus and a SERVFAIL is expected. However, prior to CVE-2025-8677 fix,
this could trigger an assertion failure.

diff --git a/bin/tests/system/dnssec-malformed-dnskey/ns2/named.conf.j2 b/bin/tests/system/dnssec-malformed-dnskey/ns2/named.conf.j2
index 6f05c6d5efcbb986325123689d9f181d1dbeb1d0..8aa4a3ea02953e03a72a9be037fd8113c9a088aa 100644 (file)
--- a/bin/tests/system/dnssec-malformed-dnskey/ns2/named.conf.j2
+++ b/bin/tests/system/dnssec-malformed-dnskey/ns2/named.conf.j2
@@ -34,4 +34,9 @@ zone example. {
        file "example.db.signed.malformed";
 };
 
+zone truncated.selfsigned. {
+       type primary;
+       file "truncated.selfsigned.db.signed";
+};
+
 include "trusted.conf";

diff --git a/bin/tests/system/dnssec-malformed-dnskey/ns2/truncated.selfsigned.db.signed b/bin/tests/system/dnssec-malformed-dnskey/ns2/truncated.selfsigned.db.signed
new file mode 100644 (file)
index 0000000..ea49773
--- /dev/null
+++ b/bin/tests/system/dnssec-malformed-dnskey/ns2/truncated.selfsigned.db.signed
@@ -0,0 +1,40 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+@              IN SOA  mname1. . (
+                               1       ; serial
+                               600     ; refresh
+                               600     ; retry
+                               1200    ; expire
+                               600     ; minimum
+                               )
+
+@              NS      @
+@              A       10.53.0.2
+
+; The following DNSKEY is revoked and truncated. To trigger the test
+; condition, its key tag must be marked as trusted by the resolver.
+; Since the key isn't valid, all the RRSIGs in this file are bogus.
+@              DNSKEY  385 3 14 fQA=
+
+@              RRSIG   SOA 14 2 86400 20950926153053 20251013153053 33167 @ xxxx5f7U0DiPvKFxpB83mTyqkAO0TfM0 xe4ZMYoJUQEPYdd0GTNkFzI6crsbU0lQ t/V1YOxAt5B+T1ch9n5dhYwt7ZTqluI2 mr6myKMesdPl1zp1hEgkmFpCG3NOXl2Z
+@              RRSIG   NS 14 2 86400 20950926153053 20251013153053 33167 @ xxxxLBPc05g7v/K5UfGuXsHH8xd29eQb 5qWe+Ei4Qn0GlmH0x/VIJiJMZXuxD5S+ VhP7DiX7uKIxi0QS2DOK1aOMXq/2WiUV 2VBmYAoSUilMlJY84I2XbzqD5iz5y+yp
+@              RRSIG   A 14 2 86400 20950926153053 20251013153053 33167 @ xxxx6UguMh8jgdVox2UVURjEsAP0D8o2 mFofnFOd6eYf+49QlWD+GX6x60X/hPVi f2XFsajouCvT/ZSmoXKWad3RC1DLHF/H TdOGMKlT4DfvbeJV+N5N0bgu2Wv3QRdM
+@              RRSIG   DNSKEY 14 2 86400 20950926153053 20251013153053 33167 @ xxxxqayRNsL32Km0c9AjwN0RNktt4iGb 97Dwi0uiHPcM4eVNZR2w68XMUh43+nR1 DA1QE2RqIqt7soEIwi1z4kAczf7W1wrP 7dcbEwjxS9D1CefuNRG1xnj9wGsqKecI
+@              NSEC    a A NS SOA RRSIG NSEC DNSKEY
+@              RRSIG   NSEC 14 2 0 20950926153053 20251013153053 33167 @ xxxx4Y6vqeOJHWEeg0T0OY4z7BdDrTkn BY9Yra8zSjFEGZvIX3irPd81+u5xlA0T 9waJO2Y9W42IMrOeKdQt++QXVHsLhOYn 4NAF6RotHSb4cqv1DXI1PSchMaJ5FWwD
+
+a              A       10.53.0.2
+a              RRSIG   A 14 3 86400 20950926153053 20251013153053 33167 @ xxxxv31CNatB9xzj3AfTMlwiO0OqxbpJ cWrHN8zjj1ScXpqrHITfG/CZpoECDLWF wkXshDB/QMxHrnXkPKEcR2c9o5tcQT5R nHvtr7HT4Ob5PcY5DnItf3OWhE+bocmW
+a              NSEC    @ A RRSIG NSEC
+a              RRSIG   NSEC 14 3 0 20950926153053 20251013153053 33167 @ xxxxwMWbUxb3ScBKEVheQ2wFqujc6cyt 28GVCU0wPrBpK72HSsgdYme7IG8ZXGfa IWSU1Kf/om5+El7Tf2vDs7aI1yI7e7YG D5IxMejQg5v3/wtP7AJZXP5K9ICjq/ph

diff --git a/bin/tests/system/dnssec-malformed-dnskey/ns2/trusted.conf.j2 b/bin/tests/system/dnssec-malformed-dnskey/ns2/trusted.conf.j2
index 89adc17f29ad9d7d9b6b8c150b1dfdee307a0aca..b7e95e76f1e8423b31ea77e349a480bcfd54b5e6 100644 (file)
--- a/bin/tests/system/dnssec-malformed-dnskey/ns2/trusted.conf.j2
+++ b/bin/tests/system/dnssec-malformed-dnskey/ns2/trusted.conf.j2
@@ -13,4 +13,15 @@
 
 trust-anchors {
        example. static-key 257 3 14 "@ksk_public_key@";
+
+       /*
+        *  The key tag in the trust anchor must match that of the revoked
+        *  truncated self-signed key in the truncated.selfsigned. zone.
+        *
+        *  The DNSKEY contents are intentionally different here, because the
+        *  key doesn't have the revoked bit here and that flag is part of the
+        *  key tag. The following decodes to key tag 33167, which is the same
+        *  as the revoked truncated key in the zone file.
+        */
+       truncated.selfsigned. static-key 257 3 14 "fYA=";
 };

diff --git a/bin/tests/system/dnssec-malformed-dnskey/ns3/named.conf.j2 b/bin/tests/system/dnssec-malformed-dnskey/ns3/named.conf.j2
index bdd1053cf87fdab468fd85cf1ed9fa264f31b0e9..1cff583dcad4961c0a5dbdcd3f9b80e470f66cdf 100644 (file)
--- a/bin/tests/system/dnssec-malformed-dnskey/ns3/named.conf.j2
+++ b/bin/tests/system/dnssec-malformed-dnskey/ns3/named.conf.j2
@@ -31,4 +31,9 @@ zone "example." {
        server-addresses { 10.53.0.2; };
 };
 
+zone "truncated.selfsigned." {
+       type static-stub;
+       server-addresses { 10.53.0.2; };
+};
+
 include "trusted.conf";

diff --git a/bin/tests/system/dnssec-malformed-dnskey/tests_malformed_dnskey.py b/bin/tests/system/dnssec-malformed-dnskey/tests_malformed_dnskey.py
index 8b871de79799933d14a8c23662bdf53de2ce8fb5..57d8479dc3910cd1a5c96e5083edd2f943fbae0c 100644 (file)
--- a/bin/tests/system/dnssec-malformed-dnskey/tests_malformed_dnskey.py
+++ b/bin/tests/system/dnssec-malformed-dnskey/tests_malformed_dnskey.py
@@ -180,3 +180,9 @@ def test_multiple_rrsigs(ns3):
         res = isctest.query.tcp(msg, "10.53.0.3")
 
     isctest.check.servfail(res)
+
+
+def test_truncated_dnskey():
+    msg = isctest.query.create("a.truncated.selfsigned.", "A")
+    res = isctest.query.tcp(msg, "10.53.0.3")
+    isctest.check.servfail(res)