@pytest.fixture(scope="module", autouse=True)
-def reconfigure(servers, templates):
- ns5 = servers["ns5"]
+def reconfigure(ns5, ns9, templates):
templates.render("ns5/named.conf", {"broken_key": True})
ns5.reconfigure(log=False)
- ns9 = servers["ns9"]
templates.render("ns9/named.conf", {"forward_badkey": True})
ns9.reconfigure(log=False)
-def test_broken_forwarding(servers):
+def test_broken_forwarding(ns9):
# check forwarder CD behavior (forward server with bad trust anchor)
- ns9 = servers["ns9"]
# confirm invalid trust anchor produces SERVFAIL in resolver
msg = isctest.query.create("a.secure.example.", "A")
@pytest.fixture(scope="module", autouse=True)
-def reconfigure(servers, templates):
- ns5 = servers["ns5"]
+def reconfigure(ns5, templates):
templates.render("ns5/named.conf", {"revoked_key": True})
ns5.reconfigure(log=False)
return rrset.rdtype == rdatatype.RRSIG and rrset.covers == rdatatype.SOA
-def test_signatures_validity(servers, templates):
+def test_signatures_validity(ns3, templates):
# check that increasing signatures-validity triggers resigning
msg = isctest.query.create("siginterval.example.", "AXFR")
res = isctest.query.tcp(msg, "10.53.0.3")
before = next(filter(is_rrsig_soa, res.answer))
- ns3 = servers["ns3"]
templates.render("ns3/named.conf", {"long_sigs": True})
with ns3.watch_log_from_here() as watcher:
ns3.reconfigure(log=False)
"signing -clear all", # without zone
],
)
-def test_rndc_signing_except(cmd, servers):
- ns3 = servers["ns3"]
-
+def test_rndc_signing_except(cmd, ns3):
# check that 'rndc signing' errors are handled
with pytest.raises(isctest.rndc.RNDCException):
ns3.rndc(cmd, log=False)
ns3.rndc("status", log=False)
-def test_rndc_signing_output(servers):
- ns3 = servers["ns3"]
-
+def test_rndc_signing_output(ns3):
response = ns3.rndc("signing -list dynamic.example", log=False)
assert "No signing records found" in response
-def test_zonestatus_signing(servers):
- ns3 = servers["ns3"]
+def test_zonestatus_signing(ns3):
# check that the correct resigning time is reported in zonestatus.
# zonestatus reports a name/type and expecting resigning time;
# we convert the time to seconds since epoch, look up the RRSIG
assert when < sigs[0].expiration
-def test_offline_ksk_signing(servers):
+def test_offline_ksk_signing(ns2):
def getfrom(file):
with open(file, encoding="utf-8") as f:
return f.read().strip()
ksk_only_types = ["DNSKEY", "CDNSKEY", "CDS"]
- ns2 = servers["ns2"]
zone = "updatecheck-kskonly.secure"
KSK = getfrom(f"ns2/{zone}.ksk.key")
ZSK = getfrom(f"ns2/{zone}.zsk.key")
)
-def test_tat_queries(servers):
- ns1 = servers["ns1"]
- ns6 = servers["ns6"]
-
+def test_tat_queries(ns1, ns6):
# check that trust-anchor-telemetry queries are logged
with ns6.watch_log_from_start() as watcher:
watcher.wait_for_line("sending trust-anchor-telemetry query '_ta-")
isctest.check.noadflag(res2)
-def test_secure_root(servers):
+def test_secure_root(ns4):
# check that a query for a secure root validates
msg = isctest.query.create(".", "KEY")
res = isctest.query.tcp(msg, "10.53.0.4")
isctest.check.adflag(res)
# check that "rndc secroots" dumps the trusted keys
- ns4 = servers["ns4"]
key = int(getfrom("ns1/managed.key.id"))
alg = os.environ["DEFAULT_ALGORITHM"]
expected = f"./{alg}/{key} ; static"
isctest.check.adflag(res2)
-def test_private_algorithms(servers):
+def test_private_algorithms(ns4):
# positive answer, private algorithm
msg = isctest.query.create("a.rsasha256oid.example", "A")
res1 = isctest.query.tcp(msg, "10.53.0.3")
isctest.check.adflag(res2)
# positive anwer, extra ds for unknown private algorithm
- ns4 = servers["ns4"]
with ns4.watch_log_from_here() as watcher:
msg = isctest.query.create("a.extradsunknownoid.example", "A")
res1 = isctest.query.tcp(msg, "10.53.0.3")
isctest.check.servfail(res2)
-def test_cache(servers):
- ns4 = servers["ns4"]
-
+def test_cache(ns4):
# check that key id's are logged when dumping the cache
ns4.rndc("dumpdb -cache", log=False)
assert grep_q("; key id = ", "ns4/named_dump.db")
assert res1.authority[0].ttl != res2.authority[0].ttl
-def test_insecure_proof_nsec(servers):
+def test_insecure_proof_nsec(ns4):
# 1-server positive
msg = isctest.query.create("a.insecure.example", "A")
res1 = isctest.query.tcp(msg, "10.53.0.3")
isctest.check.noadflag(res2)
# insecurity proof using negative cache
- ns4 = servers["ns4"]
ns4.rndc("flush", log=False)
msg = isctest.query.create("insecure.example", "DS", cd=True)
isctest.query.tcp(msg, "10.53.0.4")
isctest.check.adflag(res2)
-def test_validation_recovery(servers):
- ns2 = servers["ns2"]
- ns4 = servers["ns4"]
-
+def test_validation_recovery(ns2, ns4):
# check recovery from spoofed server address.
# prime cache with spoofed address records...
msg = isctest.query.create("target.peer-ns-spoof", "A", cd=True)
assert str(a[0]) == "10.53.0.10"
-def test_validating_forwarder(servers):
- ns9 = servers["ns9"]
- ns4 = servers["ns4"]
-
+def test_validating_forwarder(ns4, ns9):
# check validating forwarder behavior with mismatching NS
ns4.rndc("flush", log=False)
msg = isctest.query.create("inconsistent", "NS", dnssec=False, cd=True)
watcher.wait_for_line("status: SERVFAIL")
-def test_expired_signatures(servers):
+def test_expired_signatures(ns4):
# check expired signatures do not validate
msg = isctest.query.create("expired.example", "SOA")
res = isctest.query.tcp(msg, "10.53.0.3")
isctest.check.adflag(res)
isctest.check.noerror(res)
- ns4 = servers["ns4"]
-
# test TTL is capped at RRSIG expiry time
ns4.rndc("flush", log=False)
msg = isctest.query.create("expiring.example", "SOA", cd=True)
isctest.check.noadflag(res)
-def test_pending_ds(servers):
+def test_pending_ds(ns4):
# check that a query against a validating resolver succeeds when there is
# a negative cache entry with trust level "pending" for the DS. prime
# with a +cd DS query to produce the negative cache entry, then send a
# query that uses that entry as part of the validation process.
- ns4 = servers["ns4"]
ns4.rndc("flush", log=False)
msg = isctest.query.create("insecure.example", "DS", cd=True)
res = isctest.query.tcp(msg, "10.53.0.4")
@pytest.fixture(scope="module", autouse=True)
-def reconfigure(servers, templates):
- ns4 = servers["ns4"]
+def reconfigure(ns4, templates):
templates.render("ns4/named.conf", {"accept_expired": True})
ns4.reconfigure(log=False)
-def test_accept_expired(servers):
- ns4 = servers["ns4"]
-
+def test_accept_expired(ns4):
# test TTL of about-to-expire rrsets with accept-expired
ns4.rndc("flush", log=False)
msg = isctest.query.create("expiring.example", "SOA")
@pytest.fixture(scope="module", autouse=True)
-def reconfigure(servers, templates):
- ns4 = servers["ns4"]
+def reconfigure(ns4, templates):
assert os.path.exists("ns4/managed-keys.bind.jnl") is False
shutil.copyfile("ns4/managed-keys.bind.in", "ns4/managed-keys.bind")
templates.render("ns4/named.conf", {"managed_key": True})
return f.read().strip()
-def test_secure_root_managed(servers):
+def test_secure_root_managed(ns4):
# check that a query for a secure root validates
msg = isctest.query.create(".", "KEY")
res = isctest.query.tcp(msg, "10.53.0.4")
isctest.check.adflag(res)
# check that "rndc secroots" dumps the trusted keys
- ns4 = servers["ns4"]
key = int(getfrom("ns1/managed.key.id"))
alg = os.environ["DEFAULT_ALGORITHM"]
expected = f"./{alg}/{key} ; managed"
isctest.check.noerror(res2)
-def test_keydata_storage(servers):
- ns4 = servers["ns4"]
+def test_keydata_storage(ns4):
ns4.rndc("managed-keys sync", log=False)
with isctest.log.WatchLogFromStart("ns4/managed-keys.bind") as watcher:
watcher.wait_for_line(["KEYDATA", "next refresh:"])
@pytest.fixture(scope="module", autouse=True)
-def reconfigure(servers, templates):
- ns5 = servers["ns5"]
+def reconfigure(ns5, templates):
templates.render("ns5/named.conf", {"many_anchors": True})
with ns5.watch_log_from_here() as watcher:
ns5.reconfigure(log=False)
@pytest.fixture(scope="module", autouse=True)
-def reconfigure(servers, templates):
- ns4 = servers["ns4"]
+def reconfigure(ns4, templates):
templates.render("ns4/named.conf", {"multi_view": True})
ns4.reconfigure(log=False)
projects / thirdparty / bind9.git / commitdiff
