"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
-# Configure the resolving server with a staitc key.
+# Configure the resolving server with a static key.
keyfile_to_static_ds "$ksk" >trusted.conf
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
# Also generate a broken trusted-keys file for the dnssec test.
#
broken=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" .)
-keyfile_to_static_ds "$broken" >../ns4/broken.conf
+keyfile_to_static_ds "$broken" >../ns5/broken.conf
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
- dnssec-validation yes;
minimal-responses no;
nta-lifetime 12s;
nta-recheck 9s;
validate-except { corp; };
- disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
- disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
- disable-ds-digests "ds-unsupported.example." {"SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
- disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
-
# Note: We only reference the bind.keys file here to confirm that it
# is *not* being used. It contains the real root key, and we're
# using a local toy root zone for the tests, so it wouldn't work.
# But since dnssec-validation is set to "yes" not "auto", that
# won't matter.
+ dnssec-validation yes;
bindkeys-file "../../../../../bind.keys";
};
+include "trusted.conf";
+
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
type static-stub;
server-addresses { 10.53.0.2; };
};
-
-include "trusted.conf";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
+ minimal-responses no;
+
+ nta-lifetime 12s;
+ nta-recheck 9s;
+ validate-except { corp; };
+
dnssec-validation auto;
bindkeys-file "managed.conf";
- minimal-responses no;
- disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
- disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
- disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
- disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
};
key rndc_key {
type hint;
file "../../_common/root.hint";
};
+
+zone "corp" {
+ type static-stub;
+ server-addresses { 10.53.0.2; };
+};
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
- dnssec-validation auto;
- bindkeys-file "managed.conf";
- dnssec-accept-expired yes;
minimal-responses no;
+
+ nta-lifetime 12s;
+ nta-recheck 9s;
+ validate-except { corp; };
+
+ dnssec-accept-expired yes;
servfail-ttl 0;
- disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
- disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";};
- disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
- disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+ dnssec-validation auto;
+ bindkeys-file "managed.conf";
};
key rndc_key {
type hint;
file "../../_common/root.hint";
};
+
+zone "corp" {
+ type static-stub;
+ server-addresses { 10.53.0.2; };
+};
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
+ minimal-responses no;
+
+ nta-lifetime 12s;
+ nta-recheck 9s;
+
disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
algorithm @DEFAULT_HMAC@;
};
-include "trusted.conf";
-
view rec {
match-recursive-only yes;
recursion yes;
- dnssec-validation yes;
dnssec-accept-expired yes;
minimal-responses no;
+ dnssec-validation yes;
+
+ include "trusted.conf";
zone "." {
type hint;
view auth {
recursion no;
allow-recursion { none; };
+ dnssec-validation no;
zone "." {
type hint;
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-// NS4
-
-options {
- query-source address 10.53.0.4;
- notify-source 10.53.0.4;
- transfer-source 10.53.0.4;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.4; };
- listen-on-v6 { none; };
- recursion yes;
- dnssec-validation yes;
- minimal-responses no;
-
-};
-
-# Note: This contains a deliberately incorrect key,
-# so it won't work with the root zones used in the tests;
-# all signed data should SERVFAIL. This is to test the case
-# of a validating forwarder talking to a resolver that has
-# a misconfigured trust anchor.
-include "broken.conf";
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm @DEFAULT_HMAC@;
-};
-
-controls {
- inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-zone "." {
- type hint;
- file "../../_common/root.hint";
-};
-
-zone "corp" {
- type static-stub;
- server-addresses { 10.53.0.2; };
-};
// NS5
-key rndc_key {
- secret "1234abcd8765";
- algorithm @DEFAULT_HMAC@;
-};
-
-controls {
- inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
options {
query-source address 10.53.0.5;
notify-source 10.53.0.5;
listen-on { 10.53.0.5; 127.0.0.1; };
listen-on-v6 { none; };
recursion yes;
- dnssec-validation yes;
};
-view root {
- match-destinations { 127.0.0.1; };
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
- zone "." {
- type primary;
- file "root.db.signed";
- };
+controls {
+ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
-view other {
-include "revoked.conf";
+{% set revoked_key = revoked_key | default(False) %}
+{% set broken_key = broken_key | default(False) %}
+{% if revoked_key %}
+ view root {
+ match-destinations { 127.0.0.1; };
+ dnssec-validation no;
+ zone "." {
+ type primary;
+ file "root.db.signed";
+ };
+ };
+
+ view other {
+ dnssec-validation yes;
+ include "revoked.conf";
+
+ zone "." {
+ type static-stub;
+ server-addresses { 127.0.0.1; };
+ };
+ };
+{% elif broken_key %}
zone "." {
+ type hint;
+ file "../../_common/root.hint";
+ };
+
+ zone "corp" {
type static-stub;
- server-addresses { 127.0.0.1; };
+ server-addresses { 10.53.0.2; };
};
-};
+
+ include "broken.conf";
+{% else %}
+ zone "." {
+ type hint;
+ file "../../_common/root.hint";
+ };
+
+ include "trusted.conf";
+{% endif %}
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-// NS5
-
-options {
- query-source address 10.53.0.5;
- notify-source 10.53.0.5;
- transfer-source 10.53.0.5;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.5; };
- listen-on-v6 { none; };
- recursion yes;
- dnssec-validation yes;
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm @DEFAULT_HMAC@;
-};
-
-controls {
- inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-
-zone "." {
- type hint;
- file "../../_common/root.hint";
-};
-
-include "trusted.conf";
recursion yes;
dnssec-validation yes;
forward only;
+{% set forward_badkey = forward_badkey | default(False) %}
+{% if forward_badkey %}
+ forwarders { 10.53.0.5; };
+{% else %}
forwarders { 10.53.0.4; };
+{% endif %}
servfail-ttl 0;
};
set -e
-copy_setports ns1/named.conf.in ns1/named.conf
-copy_setports ns2/named.conf.in ns2/named.conf
-copy_setports ns3/named.conf.in ns3/named.conf
-
copy_setports ns4/named1.conf.in ns4/named.conf
-copy_setports ns5/named1.conf.in ns5/named.conf
-
-copy_setports ns6/named.conf.in ns6/named.conf
-copy_setports ns7/named.conf.in ns7/named.conf
-copy_setports ns8/named.conf.in ns8/named.conf
-
-copy_setports ns9/named.conf.in ns9/named.conf
(
cd ns1
status=$((status + ret))
fi
-# Try validating with a bad trusted key.
-# This should fail.
-
-echo_i "checking that validation fails with a misconfigured trusted key ($n)"
-ret=0
-dig_with_opts example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1
-grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking that negative validation fails with a misconfigured trusted key ($n)"
-ret=0
-dig_with_opts example. ptr @10.53.0.5 >dig.out.ns5.test$n || ret=1
-grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking that insecurity proofs fail with a misconfigured trusted key ($n)"
-ret=0
-dig_with_opts a.insecure.example. a @10.53.0.5 >dig.out.ns5.test$n || ret=1
-grep "SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
echo_i "checking that validation fails when key record is missing ($n)"
ret=0
dig_with_opts a.b.keyless.example. a @10.53.0.4 >dig.out.ns4.test$n || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
-# Check that the setting the cd bit works
-
-echo_i "checking cd bit on a positive answer ($n)"
-ret=0
-dig_with_opts +noauth example. soa @10.53.0.4 \
- >dig.out.ns4.test$n || ret=1
-dig_with_opts +noauth +cdflag example. soa @10.53.0.5 \
- >dig.out.ns5.test$n || ret=1
-digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
-# Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking cd bit on a negative answer ($n)"
-ret=0
-dig_with_opts q.example. soa @10.53.0.4 >dig.out.ns4.test$n || ret=1
-dig_with_opts +cdflag q.example. soa @10.53.0.5 >dig.out.ns5.test$n || ret=1
-digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
-# Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
echo_i "checking insecurity proof works using negative cache ($n)"
ret=0
rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
-echo_i "checking cd bit on a query that should fail ($n)"
-ret=0
-dig_with_opts a.bogus.example. soa @10.53.0.4 \
- >dig.out.ns4.test$n || ret=1
-dig_with_opts +cdflag a.bogus.example. soa @10.53.0.5 \
- >dig.out.ns5.test$n || ret=1
-digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
-# Note - this is looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking cd bit on an insecurity proof ($n)"
-ret=0
-dig_with_opts +noauth a.insecure.example. soa @10.53.0.4 \
- >dig.out.ns4.test$n || ret=1
-dig_with_opts +noauth +cdflag a.insecure.example. soa @10.53.0.5 \
- >dig.out.ns5.test$n || ret=1
-digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
-grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
-# Note - these are looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-echo_i "checking cd bit on a negative insecurity proof ($n)"
-ret=0
-dig_with_opts q.insecure.example. a @10.53.0.4 \
- >dig.out.ns4.test$n || ret=1
-dig_with_opts +cdflag q.insecure.example. a @10.53.0.5 \
- >dig.out.ns5.test$n || ret=1
-digcomp dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
-grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1
-# Note - these are looking for failure, hence the &&
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns5.test$n >/dev/null && ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
echo_i "checking that validation of an ANY query works ($n)"
ret=0
dig_with_opts +noauth foo.example. any @10.53.0.2 >dig.out.ns2.test$n || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
-echo_i "checking initialization with a revoked managed key ($n)"
-ret=0
-copy_setports ns5/named2.conf.in ns5/named.conf
-rndccmd 10.53.0.5 reconfig 2>&1 | sed 's/^/ns5 /' | cat_i
-sleep 3
-dig_with_opts +dnssec @10.53.0.5 SOA . >dig.out.ns5.test$n
-grep "status: SERVFAIL" dig.out.ns5.test$n >/dev/null || ret=1
-n=$((n + 1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
echo_i "check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)"
ret=0
(
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
-copy_setports ns4/named5.conf.in ns4/named.conf
-rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i
-sleep 3
-
-echo_i "checking forwarder CD behavior (forward server with bad trust anchor) ($n)"
-ret=0
-# confirm invalid trust anchor produces SERVFAIL in resolver
-$DIG +tcp +dnssec -p "$PORT" @10.53.0.4 a.secure.example >dig.out.ns4.test$n || ret=1
-grep "status: SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1
-# check that lookup using forwarder succeeds and that SERVFAIL was received
-nextpart ns9/named.run >/dev/null
-$DIG +tcp +dnssec -p "$PORT" @10.53.0.9 a.secure.example soa >dig.out.ns9.test$n || ret=1
-grep "status: NOERROR" dig.out.ns9.test$n >/dev/null || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns9.test$n >/dev/null || ret=1
-nextpart ns9/named.run | grep 'status: SERVFAIL' >/dev/null || ret=1
-n=$((n + 1))
-if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from dns import flags
+
+import isctest
+
+
+def test_misconfigured_validation():
+ # check that validation fails with a misconfigured trust anchor
+ msg = isctest.query.create("example.", "SOA")
+ res = isctest.query.tcp(msg, "10.53.0.5")
+ isctest.check.servfail(res)
+
+
+def test_misconfigured_negative_validation():
+ # check that negative validation fails with a misconfigured trust anchor
+ msg = isctest.query.create("example.", "PTR")
+ res = isctest.query.tcp(msg, "10.53.0.5")
+ isctest.check.servfail(res)
+
+
+def test_misconfigured_insecurity():
+ # check that insecurity proofs fail with a misconfigured trust anchor
+ msg = isctest.query.create("a.insecure.example.", "A")
+ res = isctest.query.tcp(msg, "10.53.0.5")
+ isctest.check.servfail(res)
+
+
+def test_misconfigured_cd_positive():
+ # check AD bit of a positive answer with misconfigured trust anchor, CD=1
+ msg = isctest.query.create("example.", "SOA")
+ msg.flags |= flags.CD
+ res = isctest.query.tcp(msg, "10.53.0.5")
+ isctest.check.noerror(res)
+ assert (res.flags & flags.AD) == 0
+
+
+def test_misconfigured_cd_negative():
+ # check cd bit on a negative answer with misconfigured trust anchor, CD=1
+ msg = isctest.query.create("q.example.", "SOA")
+ msg.flags |= flags.CD
+ res = isctest.query.tcp(msg, "10.53.0.5")
+ isctest.check.nxdomain(res)
+ assert (res.flags & flags.AD) == 0
+ # compare the response from a correctly configured server
+ res2 = isctest.query.tcp(msg, "10.53.0.4")
+ isctest.check.nxdomain(res2)
+ assert (res2.flags & flags.AD) == 0
+ assert res.answer == res2.answer
+
+
+def test_misconfigured_cd_bogus():
+ # check cd bit on a query that should fail
+ msg = isctest.query.create("a.bogus.example.", "SOA")
+ msg.flags |= flags.CD
+ res = isctest.query.tcp(msg, "10.53.0.5")
+ isctest.check.noerror(res)
+ assert (res.flags & flags.AD) == 0
+ # compare the response from a correctly configured server
+ res2 = isctest.query.tcp(msg, "10.53.0.4")
+ isctest.check.noerror(res2)
+ assert (res2.flags & flags.AD) == 0
+ assert res.answer == res2.answer
+
+
+def test_misconfigured_cd_insecurity():
+ # check cd bit on an insecurity proof
+ msg = isctest.query.create("a.insecure.example.", "SOA")
+ msg.flags |= flags.CD
+ res = isctest.query.tcp(msg, "10.53.0.5")
+ isctest.check.noerror(res)
+ assert (res.flags & flags.AD) == 0
+ # compare the response from a correctly configured server
+ res2 = isctest.query.tcp(msg, "10.53.0.4")
+ isctest.check.noerror(res2)
+ assert (res2.flags & flags.AD) == 0
+ assert res.answer == res2.answer
+
+
+def test_misconfigured_cd_negative_insecurity():
+ # check cd bit on an insecurity proof
+ msg = isctest.query.create("q.insecure.example.", "A")
+ msg.flags |= flags.CD
+ res = isctest.query.tcp(msg, "10.53.0.5")
+ isctest.check.nxdomain(res)
+ assert (res.flags & flags.AD) == 0
+ # compare the response from a correctly configured server
+ res2 = isctest.query.tcp(msg, "10.53.0.4")
+ isctest.check.nxdomain(res2)
+ assert (res2.flags & flags.AD) == 0
+ assert res.answer == res2.answer
+
+
+def test_revoked_init(servers, templates):
+ # use a revoked key and try to reiniitialize; check for failure
+ ns5 = servers["ns5"]
+ templates.render("ns5/named.conf", {"revoked_key": True})
+ ns5.reconfigure(log=False)
+
+ msg = isctest.query.create(".", "SOA")
+ res = isctest.query.tcp(msg, "10.53.0.5")
+ isctest.check.servfail(res)
+
+
+def test_broken_forwarding(servers, templates):
+ # check forwarder CD behavior (forward server with bad trust anchor)
+ ns5 = servers["ns5"]
+ templates.render("ns5/named.conf", {"broken_key": True})
+ ns5.reconfigure(log=False)
+
+ ns9 = servers["ns9"]
+ templates.render("ns9/named.conf", {"forward_badkey": True})
+ ns9.reconfigure(log=False)
+
+ # confirm invalid trust anchor produces SERVFAIL in resolver
+ msg = isctest.query.create("a.secure.example.", "A")
+ res = isctest.query.tcp(msg, "10.53.0.5")
+ isctest.check.servfail(res)
+
+ # check that lookup involving forwarder succeeds and SERVFAIL was received
+ with ns9.watch_log_from_here() as watcher:
+ msg = isctest.query.create("a.secure.example.", "SOA")
+ res = isctest.query.tcp(msg, "10.53.0.9")
+ isctest.check.noerror(res)
+ assert (res.flags & flags.AD) != 0
+ watcher.wait_for_line("status: SERVFAIL")
"*/*.jbk",
"*/*.signed",
"*/*.mkeys*",
+ "*/managed-keys.bind",
"ans*/ans.run",
"ans*/query.log",
"ns1/managed.key.id",
"ns3/update-nsec3.example.db.signed",
"ns3/upper.example.db",
"ns3/upper.example.db.lower",
- "ns4/broken.conf",
"ns4/managed.conf",
- "ns4/managed-keys.bind",
"ns4/named.secroots",
"ns4/named_dump.db",
"ns4/named_dump.db.*",
+ "ns5/broken.conf",
"ns5/revoked.conf",
"ns6/optout-tld.db",
"ns7/split-rrsig.db",
"signer/example.db.changed",
"signer/example2.db",
"signer/example3.db",
+ "signer/general/*.jnl",
"signer/general/dnskey.expect",
"signer/general/dsset-*",
"signer/general/signed.expect",
projects / thirdparty / bind9.git / commitdiff
