// NS9
+{% set forward_badkey = forward_badkey | default(False) %}
+
options {
query-source address 10.53.0.9;
notify-source 10.53.0.9;
recursion yes;
dnssec-validation yes;
forward only;
-{% set forward_badkey = forward_badkey | default(False) %}
{% if forward_badkey %}
forwarders { 10.53.0.5; };
{% else %}
res2 = isctest.query.tcp(msg, "10.53.0.4")
isctest.check.noadflag(res2)
isctest.check.same_answer(res, res2)
-
-
-def test_revoked_init(servers, templates):
- # use a revoked key and try to reiniitialize; check for failure
- ns5 = servers["ns5"]
- templates.render("ns5/named.conf", {"revoked_key": True})
- ns5.reconfigure(log=False)
-
- msg = isctest.query.create(".", "SOA")
- res = isctest.query.tcp(msg, "10.53.0.5")
- isctest.check.servfail(res)
-
-
-def test_broken_forwarding(servers, templates):
- # check forwarder CD behavior (forward server with bad trust anchor)
- ns5 = servers["ns5"]
- templates.render("ns5/named.conf", {"broken_key": True})
- ns5.reconfigure(log=False)
-
- ns9 = servers["ns9"]
- templates.render("ns9/named.conf", {"forward_badkey": True})
- ns9.reconfigure(log=False)
-
- # confirm invalid trust anchor produces SERVFAIL in resolver
- msg = isctest.query.create("a.secure.example.", "A")
- res = isctest.query.tcp(msg, "10.53.0.5")
- isctest.check.servfail(res)
-
- # check that lookup involving forwarder succeeds and SERVFAIL was received
- with ns9.watch_log_from_here() as watcher:
- msg = isctest.query.create("a.secure.example.", "SOA")
- res = isctest.query.tcp(msg, "10.53.0.9")
- isctest.check.noerror(res)
- assert (res.flags & flags.AD) != 0
- watcher.wait_for_line("status: SERVFAIL")
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from dns import flags
+
+import pytest
+
+import isctest
+
+
+@pytest.fixture(scope="module", autouse=True)
+def reconfigure(servers, templates):
+ ns5 = servers["ns5"]
+ templates.render("ns5/named.conf", {"broken_key": True})
+ ns5.reconfigure(log=False)
+
+ ns9 = servers["ns9"]
+ templates.render("ns9/named.conf", {"forward_badkey": True})
+ ns9.reconfigure(log=False)
+
+
+def test_broken_forwarding(servers):
+ # check forwarder CD behavior (forward server with bad trust anchor)
+ ns9 = servers["ns9"]
+
+ # confirm invalid trust anchor produces SERVFAIL in resolver
+ msg = isctest.query.create("a.secure.example.", "A")
+ res = isctest.query.tcp(msg, "10.53.0.5")
+ isctest.check.servfail(res)
+
+ # check that lookup involving forwarder succeeds and SERVFAIL was received
+ with ns9.watch_log_from_here() as watcher:
+ msg = isctest.query.create("a.secure.example.", "SOA")
+ res = isctest.query.tcp(msg, "10.53.0.9")
+ isctest.check.noerror(res)
+ assert (res.flags & flags.AD) != 0
+ watcher.wait_for_line("status: SERVFAIL")
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import pytest
+
+import isctest
+
+
+@pytest.fixture(scope="module", autouse=True)
+def reconfigure(servers, templates):
+ ns5 = servers["ns5"]
+ templates.render("ns5/named.conf", {"revoked_key": True})
+ ns5.reconfigure(log=False)
+
+
+def test_revoked_init():
+ # use a revoked key and check for failure when using revoked key
+ msg = isctest.query.create(".", "SOA")
+ res = isctest.query.tcp(msg, "10.53.0.5")
+ isctest.check.servfail(res)
projects / thirdparty / bind9.git / commitdiff
