ns2.inconsistent. A 10.53.0.2
nsec-rrsigs-stripped. NS ns10.nsec-rrsigs-stripped.
ns10.nsec-rrsigs-stripped. A 10.53.0.10
+ns.missing-dnskey. A 10.53.0.2
+missing-dnskey. NS ns.missing-dnskey.
+ns.missing-ksk. A 10.53.0.2
+missing-ksk. NS ns.missing-ksk.
+ns.wrong-dnskey. A 10.53.0.2
+wrong-dnskey. NS ns.wrong-dnskey.
cp "../ns2/dsset-dnskey-rrsigs-stripped." .
cp "../ns2/dsset-ds-rrsigs-stripped." .
cp "../ns2/dsset-inconsistent." .
+cp "../ns2/dsset-missing-dnskey." .
+cp "../ns2/dsset-wrong-dnskey." .
+cp "../ns2/dsset-missing-ksk." .
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll."
cp "../ns6/dsset-optout-tld." .
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ MX 10 mx
+ns A 10.53.0.2
+a A 10.0.0.1
+b A 10.0.0.2
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ MX 10 mx
+ns A 10.53.0.2
+a A 10.0.0.1
+b A 10.0.0.2
file "child.ds-rrsigs-stripped.db.signed";
};
+zone "missing-dnskey" {
+ type primary;
+ file "missing-dnskey.db.signed";
+};
+
+zone "missing-ksk" {
+ type primary;
+ file "missing-ksk.db.signed";
+};
+
+zone "wrong-dnskey" {
+ type primary;
+ file "wrong-dnskey.db.signed";
+};
+
include "trusted.conf";
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -3 - -g -o "$zone" "$zonefile" >/dev/null 2>&1
+
+#
+# The DNSKEYs gets removed from the signed zone.
+#
+zone=missing-dnskey
+infile=missing-dnskey.db.in
+zonefile=missing-dnskey.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
+"$SIGNER" -o "$zone" "$zonefile" >/dev/null 2>&1
+"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" | awk '$4 == "DNSKEY" { next } { print }' >"$zonefile.stripped"
+mv "$zonefile.stripped" "$zonefile.signed"
+
+#
+# The KSK gets removed from the signed zone, but the ZSK is still there.
+# 257 is the flag value indicating the key is the KSK
+#
+zone=missing-ksk
+infile=missing-ksk.db.in
+zonefile=missing-ksk.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
+"$SIGNER" -o "$zone" "$zonefile" >/dev/null 2>&1
+"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" | awk '$4 == "DNSKEY" && $5 == "257" { next } { print }' >"$zonefile.stripped"
+mv "$zonefile.stripped" "$zonefile.signed"
+
+zone=wrong-dnskey
+infile=wrong-dnskey.db.in
+zonefile=wrong-dnskey.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
+"$SIGNER" -o "$zone" "$zonefile" >/dev/null 2>&1
+key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+$DSFROMKEY "$key3.key" >"dsset-$zone."
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ MX 10 mx
+ns A 10.53.0.2
+a A 10.0.0.1
+b A 10.0.0.2
watcher.wait_for_line("status: SERVFAIL")
+@pytest.mark.parametrize(
+ "zone",
+ [
+ "missing-dnskey",
+ "wrong-dnskey",
+ "missing-ksk",
+ "a.extradsunknownoid.example",
+ ],
+)
+def test_missing_dnskey(zone, ns4):
+ msg = isctest.query.create(f"a.{zone}", "A")
+ res = isctest.query.tcp(msg, ns4.ip)
+ isctest.check.servfail(res)
+ isctest.check.ede(res, EDECode.DNSKEY_MISSING)
+
+
def test_expired_signatures(ns4):
# check expired signatures do not validate
msg = isctest.query.create("expired.example", "SOA")
projects / thirdparty / bind9.git / commitdiff
