An existing SERVFAIL cache test is updated as it initially checks there
are no EDE (the first SERVFAIL) then immediately re-does the same query,
(still SERVFAIL), and expect the CACHED_ERROR EDE.
However, the configuration used for this test to generate a SERVFAIL is
a broken DNSSEC configuration, where the DNSKEY is not the expected one
(it's a ZSK instead of a KZK). As a result, the first attempt also now
raise an EDE (MISSING_DNSKEY).
infile=example.db.in
zonefile=example.db
+# The zone is signed but it's broken: instead of having a ZSK and a KSK (which
+# is the DNSKEY pointed by the parent's DS), it has two ZSKs. As a result,
+# `example.` validations will always fail, resulting into a SERVFAIL on
+# validating resolvers.
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
res = isctest.query.udp(msg, ns.ip)
isctest.check.servfail(res)
if ede:
+ # The SERVFAIL is cached, so now it shows up the EDE CACHED_ERROR, but not the DNSKEY_MISSING.
isctest.check.ede(res, EDECode.CACHED_ERROR)
else:
- isctest.check.noede(res)
+ # example. domain DNSSEC is misconfigured on ns2, as it have two ZSK but no KSK. As a result, the DNSKEY for example. can't be found.
+ isctest.check.ede(res, EDECode.DNSKEY_MISSING)
def test_sfcache_ede(ns5, templates):
projects / thirdparty / bind9.git / commitdiff
