From: Nicki Křížek Date: Mon, 8 Jun 2026 15:34:35 +0000 (+0000) Subject: Add revoked truncated self-signed DNSKEY test to dnssec_py X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1d6866b0ee3167df6114c4943060ca810a8df58f;p=thirdparty%2Fbind9.git Add revoked truncated self-signed DNSKEY test to dnssec_py Port test_truncated_dnskey from dnssec_malformed_dnskey into the shared dnssec_py fixture harness, completing the migration and deleting the remaining dnssec_malformed_dnskey files. Assisted-by: Claude:claude-opus-4-8 --- diff --git a/bin/tests/system/dnssec_malformed_dnskey/ns2/named.conf.j2 b/bin/tests/system/dnssec_malformed_dnskey/ns2/named.conf.j2 deleted file mode 100644 index cb89b52a982..00000000000 --- a/bin/tests/system/dnssec_malformed_dnskey/ns2/named.conf.j2 +++ /dev/null @@ -1,19 +0,0 @@ -options { - query-source address 10.53.0.2; - notify-source 10.53.0.2; - transfer-source 10.53.0.2; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.2; }; - listen-on-v6 { none; }; - allow-transfer { any; }; - recursion no; - dnssec-validation yes; -}; - -zone truncated.selfsigned. { - type primary; - file "truncated.selfsigned.db.signed"; -}; - -include "trusted.conf"; diff --git a/bin/tests/system/dnssec_malformed_dnskey/ns2/trusted.conf.j2 b/bin/tests/system/dnssec_malformed_dnskey/ns2/trusted.conf.j2 deleted file mode 100644 index 30139fa5aab..00000000000 --- a/bin/tests/system/dnssec_malformed_dnskey/ns2/trusted.conf.j2 +++ /dev/null @@ -1,12 +0,0 @@ -trust-anchors { - /* - * The key tag in the trust anchor must match that of the revoked - * truncated self-signed key in the truncated.selfsigned. zone. - * - * The DNSKEY contents are intentionally different here, because the - * key doesn't have the revoked bit here and that flag is part of the - * key tag. The following decodes to key tag 33167, which is the same - * as the revoked truncated key in the zone file. - */ - truncated.selfsigned. static-key 257 3 14 "fYA="; -}; diff --git a/bin/tests/system/dnssec_malformed_dnskey/ns3/named.conf.j2 b/bin/tests/system/dnssec_malformed_dnskey/ns3/named.conf.j2 deleted file mode 100644 index 939c7b8c354..00000000000 --- a/bin/tests/system/dnssec_malformed_dnskey/ns3/named.conf.j2 +++ /dev/null @@ -1,26 +0,0 @@ -options { - query-source address 10.53.0.3; - notify-source 10.53.0.3; - transfer-source 10.53.0.3; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.3; }; - listen-on-v6 { none; }; - allow-transfer { any; }; - dnssec-validation yes; - - /* This is the default, but the test relies on it. */ - max-validation-failures-per-fetch 1; -}; - -zone "example." { - type static-stub; - server-addresses { 10.53.0.2; }; -}; - -zone "truncated.selfsigned." { - type static-stub; - server-addresses { 10.53.0.2; }; -}; - -include "trusted.conf"; diff --git a/bin/tests/system/dnssec_malformed_dnskey/ns3/trusted.conf.j2 b/bin/tests/system/dnssec_malformed_dnskey/ns3/trusted.conf.j2 deleted file mode 120000 index e14af83a929..00000000000 --- a/bin/tests/system/dnssec_malformed_dnskey/ns3/trusted.conf.j2 +++ /dev/null @@ -1 +0,0 @@ -../ns2/trusted.conf.j2 \ No newline at end of file diff --git a/bin/tests/system/dnssec_malformed_dnskey/tests_malformed_dnskey.py b/bin/tests/system/dnssec_malformed_dnskey/tests_malformed_dnskey.py deleted file mode 100644 index cf14498b2ad..00000000000 --- a/bin/tests/system/dnssec_malformed_dnskey/tests_malformed_dnskey.py +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -import base64 -import isctest - - -def test_truncated_dnskey(): - msg = isctest.query.create("a.truncated.selfsigned.", "A") - res = isctest.query.tcp(msg, "10.53.0.3") - isctest.check.servfail(res) diff --git a/bin/tests/system/dnssec_malformed_dnskey/ns2/truncated.selfsigned.db.signed b/bin/tests/system/dnssec_py/ns2/zones/truncated.selfsigned.db.signed.j2 similarity index 98% rename from bin/tests/system/dnssec_malformed_dnskey/ns2/truncated.selfsigned.db.signed rename to bin/tests/system/dnssec_py/ns2/zones/truncated.selfsigned.db.signed.j2 index 1a74fd566fc..533dbca0915 100644 --- a/bin/tests/system/dnssec_malformed_dnskey/ns2/truncated.selfsigned.db.signed +++ b/bin/tests/system/dnssec_py/ns2/zones/truncated.selfsigned.db.signed.j2 @@ -1,3 +1,4 @@ +{% raw %} $TTL 300 @ IN SOA mname1. . ( @@ -27,3 +28,4 @@ a A 10.53.0.2 a RRSIG A 14 3 86400 20950926153053 20251013153053 33167 @ xxxxv31CNatB9xzj3AfTMlwiO0OqxbpJ cWrHN8zjj1ScXpqrHITfG/CZpoECDLWF wkXshDB/QMxHrnXkPKEcR2c9o5tcQT5R nHvtr7HT4Ob5PcY5DnItf3OWhE+bocmW a NSEC @ A RRSIG NSEC a RRSIG NSEC 14 3 0 20950926153053 20251013153053 33167 @ xxxxwMWbUxb3ScBKEVheQ2wFqujc6cyt 28GVCU0wPrBpK72HSsgdYme7IG8ZXGfa IWSU1Kf/om5+El7Tf2vDs7aI1yI7e7YG D5IxMejQg5v3/wtP7AJZXP5K9ICjq/ph +{% endraw %} diff --git a/bin/tests/system/dnssec_py/tests_dnskey_truncated_selfsigned.py b/bin/tests/system/dnssec_py/tests_dnskey_truncated_selfsigned.py new file mode 100644 index 00000000000..fa6ceea85f6 --- /dev/null +++ b/bin/tests/system/dnssec_py/tests_dnskey_truncated_selfsigned.py @@ -0,0 +1,45 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from re import compile as Re + +from dnssec_py.common import DNSSEC_PY_MARK +from isctest.template import NS2, TrustAnchor, zones +from isctest.zone import Zone, configure_root + +import isctest + +pytestmark = DNSSEC_PY_MARK + + +def bootstrap(): + zone = Zone("truncated.selfsigned", NS2, signed=True) + + root = configure_root([zone], signed=False) # just delegation, TA is added directly + + # The trust anchor key tag must match the revoked truncated self-signed key + # in the zone (key tag 33167). The flags differ here (257 vs 385) because + # the revoked bit is not part of the trust anchor, but it is part of the key + # tag calculation. + zone_ta = TrustAnchor("truncated.selfsigned", "static-key", '257 3 14 "fYA="') + + return { + "trust_anchors": [zone_ta], + "zones": zones([root, zone]), + } + + +def test_truncated_dnskey(ns9): + msg = isctest.query.create("a.truncated.selfsigned.", "A") + with ns9.watch_log_from_here() as watcher: + res = isctest.query.tcp(msg, ns9.ip) + watcher.wait_for_line(Re("a.truncated.selfsigned/A.*broken trust chain")) + isctest.check.servfail(res)