]> git.ipfire.org Git - thirdparty/knot-resolver.git/commitdiff
projects / thirdparty / knot-resolver.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d3b4287)
daemon/lua/trust_anchors: set_insecure() fails when NTA is in TA list
authorLukáš Ježek <lukas.jezek@nic.cz>
Thu, 30 Apr 2020 13:22:56 +0000 (15:22 +0200)
committerLukáš Ježek <lukas.jezek@nic.cz>
Wed, 6 May 2020 13:39:20 +0000 (15:39 +0200)
daemon/lua/trust_anchors.lua.in patch | blob | blame | history
daemon/lua/trust_anchors.test/ta.test.lua patch | blob | blame | history

diff --git a/daemon/lua/trust_anchors.lua.in b/daemon/lua/trust_anchors.lua.in
index 621c8f867447f91abd785c1f6567e4684e492c72..30d170394e9a707170ddfded2f1373357738a642 100644 (file)
--- a/daemon/lua/trust_anchors.lua.in
+++ b/daemon/lua/trust_anchors.lua.in
@@ -476,6 +476,13 @@ trust_anchors = {
        set_insecure = function (list)
                assert(type(list) == 'table', 'parameter must be list of domain names (e.g. {"a.test", "b.example"})')
                local store = kres.context().negative_anchors
+               for i = 1, #list do
+                       local dname = kres.str2dname(list[i])
+                       if trust_anchors.keysets[dname] then
+                               error('cannot add NTA '..list[i]..' because it is TA. Use trust_anchors.remove() instead')
+                       end
+               end
+
                C.kr_ta_clear(store)
                for i = 1, #list do
                        local dname = kres.str2dname(list[i])
diff --git a/daemon/lua/trust_anchors.test/ta.test.lua b/daemon/lua/trust_anchors.test/ta.test.lua
index a846dc1932f1d6f5ce407d69349459ac73e3fb9e..395434df8653e02dd6cd0f62689400359a311b41 100644 (file)
--- a/daemon/lua/trust_anchors.test/ta.test.lua
+++ b/daemon/lua/trust_anchors.test/ta.test.lua
@@ -66,9 +66,20 @@ local function test_add_file()
           "Loaded KeyTag from root.keys")
 end
 
+local function test_nta()
+       assert(trust_anchors.keysets['\0'], 'root key must be there from previous tests')
+
+       trust_anchors.set_insecure({'example.com'})
+       is(trust_anchors.insecure[1], 'example.com', 'Add example.com to NTA list')
+       boom(trust_anchors.set_insecure, {{'.'}}, 'Got error when adding TA . to NTA list')
+       is(#trust_anchors.insecure, 1, 'Check one item in NTA list')
+       is(trust_anchors.insecure[1], 'example.com', 'Check previous NTA list')
+end
+
 return {
        test_revoked_key,
        test_remove,
        test_add_file,
+       test_nta,
 }
 
Mirror of https://gitlab.nic.cz/knot/knot-resolver.git