Add system tests that imports invalid SKR file

Try to import invalid SKR file and observe whether the named is still
alive.  This test only triggers under ASAN.

diff --git a/bin/tests/system/ksr/ns1/named.conf.j2 b/bin/tests/system/ksr/ns1/named.conf.j2
index 72830693215ed9022feaf1b6c1eef0f6b62b0bb7..baeebbf81f5ae9fcb4824b85556c5fb56fa81f49 100644 (file)
--- a/bin/tests/system/ksr/ns1/named.conf.j2
+++ b/bin/tests/system/ksr/ns1/named.conf.j2
@@ -93,3 +93,17 @@ dnssec-policy "ksk-roll" {
                zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
        };
 };
+
+dnssec-policy "invalid-skr" {
+       offline-ksk yes;
+       keys {
+               ksk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+               zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+       };
+};
+
+zone "invalid-skr.test" {
+       type primary;
+       file "invalid-skr.test.db";
+       dnssec-policy "invalid-skr";
+};

diff --git a/bin/tests/system/ksr/ns1/setup.sh b/bin/tests/system/ksr/ns1/setup.sh
index 2179ab251d39abf8874d28957d4c9916f0007af1..e8c932b39241e63f97b89bea84f9eea36f571017 100644 (file)
--- a/bin/tests/system/ksr/ns1/setup.sh
+++ b/bin/tests/system/ksr/ns1/setup.sh
@@ -27,3 +27,4 @@ cp template.db.in in-the-middle.test.db
 cp template.db.in unlimited.test.db
 cp template.db.in two-tone.test.db
 cp template.db.in ksk-roll.test.db
+cp template.db.in invalid-skr.test.db

diff --git a/bin/tests/system/ksr/tests_ksr.py b/bin/tests/system/ksr/tests_ksr.py
index e3fbf6dfa2ba829c7f2064ef71c802cfe4386b0d..3e0925bfab355ac2552330531501982a9898699b 100644 (file)
--- a/bin/tests/system/ksr/tests_ksr.py
+++ b/bin/tests/system/ksr/tests_ksr.py
@@ -34,6 +34,7 @@ pytestmark = pytest.mark.extra_artifacts(
         "past.test.*",
         "two-tone.test.*",
         "unlimited.test.*",
+        "invalid-skr.test.*",
         "ns1/K*",
         "ns1/_default.nzd",
         "ns1/_default.nzf",
@@ -77,6 +78,11 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns1/unlimited.test.db.signed",
         "ns1/unlimited.test.db.signed.jnl",
         "ns1/unlimited.test.unlimited.skr.1",
+        "ns1/invalid-skr.test.db",
+        "ns1/invalid-skr.test.db.jbk",
+        "ns1/invalid-skr.test.db.signed",
+        "ns1/invalid-skr.test.db.signed.jnl",
+        "ns1/invalid-skr.test.skr.1",
     ]
 )
 
@@ -1298,3 +1304,21 @@ def test_ksr_kskroll(ns1):
     isctest.kasp.check_apex(ns1, zone, ksks, zsks, offline_ksk=True)
     # - check subdomain
     isctest.kasp.check_subdomain(ns1, zone, ksks, zsks, offline_ksk=True)
+
+
+def test_ksr_oversize(ns1):
+    zone = "invalid-skr.test"
+    n = 1
+
+    skr_fname = f"{zone}.skr.{n}"
+    token_len = 5000
+    with open(skr_fname, "w", encoding="utf-8") as skr:
+        huge_token = "A" * token_len
+        skr.write(f";; SignedKeyResponse 1.0 {huge_token}\n")
+
+    # - try importing invalid SKR file
+    shutil.copyfile(skr_fname, f"ns1/{skr_fname}")
+    ns1.rndc(f"skr -import {skr_fname} {zone}")
+
+    # - check if named is still running
+    ns1.rndc("status")