multisigner. NS ns2.multisigner.
ns2.multisigner. A 10.53.0.2
+bad-dsync. NS ns2.bad-dsync.
+ns2.bad-dsync. A 10.53.0.2
+
secondary. NS ns2.secondary.
ns2.secondary. A 10.53.0.2
echo_i "ns1/setup.sh"
-for tld in multisigner secondary; do
+for tld in multisigner bad-dsync secondary; do
cp "../ns2/dsset-${tld}." .
done
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+$ORIGIN bad-dsync.
+
+bad-dsync. IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns2
+ns2 A 10.53.0.2
+
+scanner A 10.53.0.2
+
+model2 NS ns3
+ NS ns4
+
+ns3.model2 A 10.53.0.3
+ns4.model2 A 10.53.0.4
+
+*._dsync DSYNC CDS NOTIFY @PORT@ scanner1
+*._dsync DSYNC CDS NOTIFY @PORT@ scanner2
file "multisigner.db.signed";
};
+zone "bad-dsync" {
+ type primary;
+ file "bad-dsync.db.signed";
+};
+
zone "secondary" {
type primary;
file "secondary.db.signed";
}
setup "multisigner"
+setup "bad-dsync"
setup "secondary"
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns3
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+c A 10.0.0.3
inline-signing no;
};
+zone "model2.bad-dsync." {
+ type primary;
+ allow-update { any; };
+ file "model2.bad-dsync.db";
+ dnssec-policy model2;
+ inline-signing no;
+};
+
zone "model2.secondary." {
type secondary;
primaries { 10.53.0.5; };
$SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1
$DSFROMKEY $KSK.key >dsset-ns3-${zone}.
+zone="model2.bad-dsync"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone)
+ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone)
+$SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1
+$DSFROMKEY $KSK.key >dsset-ns3-${zone}.
+
zone="model2.secondary"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns4
+ns4 A 10.53.0.4
+
+a A 10.0.0.1
+b A 10.0.0.2
+c A 10.0.0.3
inline-signing yes;
};
+zone "model2.bad-dsync." {
+ type primary;
+ allow-update { any; };
+ file "model2.bad-dsync.db";
+ dnssec-policy model2;
+ inline-signing yes;
+};
+
zone "model2.secondary." {
type secondary;
primaries { 10.53.0.5; };
$SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1
$DSFROMKEY $KSK.key >dsset-ns4-${zone}.
+zone="model2.bad-dsync"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone)
+ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone)
+$SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1
+$DSFROMKEY $KSK.key >dsset-ns4-${zone}.
+
zone="model2.secondary"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
check_no_dnssec_in_journal(ns4, zone)
+def test_multisigner_bad_dsync(ns3, ns4):
+ zone = "model2.bad-dsync"
+
+ # First make sure the zone is properly signed.
+ isctest.log.info(f"basic DNSSEC tests for {zone}")
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+ isctest.kasp.wait_keymgr_done(ns4, zone)
+
+ with ns3.watch_log_from_start() as watcher:
+ watcher.wait_for_line(
+ f"zone {zone}/IN: dsyncfetch: multiple DSYNC records matching NOTIFY scheme and CDS RRtype, dropping response"
+ )
+
+ with ns4.watch_log_from_start() as watcher:
+ watcher.wait_for_line(
+ f"zone {zone}/IN (signed): dsyncfetch: multiple DSYNC records matching NOTIFY scheme and CDS RRtype, dropping response"
+ )
+
+
def test_multisigner_secondary(ns2, ns3, ns4, ns5):
zone = "model2.secondary"
keyprops = [
projects / thirdparty / bind9.git / commitdiff
