From: Ondřej Surý <ondrej@isc.org>
Date: Mon, 23 Feb 2026 10:17:40 +0000 (+0100)
Subject: Add test for mixed unsupported DS records
X-Git-Tag: v9.21.19~10^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=46f15f4f9d2e83b92d1c04896f07a2253cc6041c;p=thirdparty%2Fbind9.git

Add test for mixed unsupported DS records

Add a system test that has one invalid DS record with supported
algorithm and one unsupported DS record.  Both DNSKEY and A queries must
fail with SERVFAIL.
---

diff --git a/bin/tests/system/dnssec-unsupported-ds/ns1/named.conf.j2 b/bin/tests/system/dnssec-unsupported-ds/ns1/named.conf.j2
new file mode 100644
index 00000000000..abfad948c68
--- /dev/null
+++ b/bin/tests/system/dnssec-unsupported-ds/ns1/named.conf.j2
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	minimal-any no;
+	minimal-responses no;
+	recursion no;
+	notify yes;
+	dnssec-validation yes;
+	/* test that we can turn off trust-anchor-telemetry */
+	trust-anchor-telemetry no;
+};
+
+zone "." {
+	type primary;
+	file "zones/root.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec-unsupported-ds/ns1/sign.sh b/bin/tests/system/dnssec-unsupported-ds/ns1/sign.sh
new file mode 100755
index 00000000000..ac42bb859d5
--- /dev/null
+++ b/bin/tests/system/dnssec-unsupported-ds/ns1/sign.sh
@@ -0,0 +1,37 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+set -e
+
+echo_i "ns1/sign.sh"
+
+zone=.
+
+mkdir -p keys
+ksk=$("$KEYGEN" -K keys -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "${zone}")
+zsk=$("$KEYGEN" -K keys -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "${zone}")
+
+cat "zones/root.db.in" "keys/$ksk.key" "keys/$zsk.key" ../ns2/dsset-example. >"zones/root.db"
+
+"$SIGNER" -S -K "keys" \
+  -o . \
+  -f "zones/root.db.signed" \
+  "zones/root.db" >/dev/null 2>&1
+
+keyfile_to_static_ds "keys/$ksk" >trusted.conf
+cp trusted.conf ../ns2/trusted.conf
+cp trusted.conf ../ns3/trusted.conf
+cp trusted.conf ../ns4/trusted.conf
diff --git a/bin/tests/system/dnssec-unsupported-ds/ns1/zones/root.db.in b/bin/tests/system/dnssec-unsupported-ds/ns1/zones/root.db.in
new file mode 100644
index 00000000000..5744823ca26
--- /dev/null
+++ b/bin/tests/system/dnssec-unsupported-ds/ns1/zones/root.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.	300	IN	SOA	gson.nominum.com. a.root.servers.nil. 2000042100 600 600 1200 600
+ns2.example.	300	IN	A	10.53.0.2
+example.	300	IN	NS	ns2.example.
+a.root-servers.nil.	300	IN	A	10.53.0.1
+.	300	IN	NS	a.root-servers.nil.
diff --git a/bin/tests/system/dnssec-unsupported-ds/ns2/named.conf.j2 b/bin/tests/system/dnssec-unsupported-ds/ns2/named.conf.j2
new file mode 100644
index 00000000000..5de17b11c2a
--- /dev/null
+++ b/bin/tests/system/dnssec-unsupported-ds/ns2/named.conf.j2
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+        inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../_common/root.hint";
+};
+
+zone "example." {
+    type primary;
+    file "zones/example.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec-unsupported-ds/ns2/sign.sh b/bin/tests/system/dnssec-unsupported-ds/ns2/sign.sh
new file mode 100755
index 00000000000..8bfd0dd9393
--- /dev/null
+++ b/bin/tests/system/dnssec-unsupported-ds/ns2/sign.sh
@@ -0,0 +1,35 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+set -e
+
+echo_i "ns2/sign.sh"
+
+zone=example.
+
+mkdir -p keys
+ksk=$("$KEYGEN" -K keys -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "${zone}")
+zsk=$("$KEYGEN" -K keys -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "${zone}")
+
+cat "zones/${zone}db.in" "keys/$ksk.key" "keys/$zsk.key" >"zones/${zone}db"
+
+<"../ns3/dsset-child.${zone}" sed -E "s/[[:space:]]+$DEFAULT_ALGORITHM_NUMBER[[:space:]]+/ 12 /" >>"zones/${zone}db"
+<"../ns3/dsset-child.${zone}" sed -E "s/[[:space:]]+$DEFAULT_ALGORITHM_NUMBER[[:space:]]+2[[:space:]]+.*/ $DEFAULT_ALGORITHM_NUMBER 2 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/" >>"zones/${zone}db"
+
+"$SIGNER" -S -K "keys" \
+  -o "${zone}" \
+  -f "zones/${zone}db.signed" \
+  "zones/${zone}db" >/dev/null 2>&1
diff --git a/bin/tests/system/dnssec-unsupported-ds/ns2/zones/example.db.in b/bin/tests/system/dnssec-unsupported-ds/ns2/zones/example.db.in
new file mode 100644
index 00000000000..2ca37a78ced
--- /dev/null
+++ b/bin/tests/system/dnssec-unsupported-ds/ns2/zones/example.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+example.	300	IN	SOA	ns1.example. admin.example. 2026021901 3600 900 86400 300
+ns1.example.		300	IN	A 10.53.0.2
+ns1.child.example.	300	IN	A 10.53.0.3
+child.example.	300	IN	NS	ns1.child.example.
+example.	300	IN	NS	ns1.example.
diff --git a/bin/tests/system/dnssec-unsupported-ds/ns3/named.conf.j2 b/bin/tests/system/dnssec-unsupported-ds/ns3/named.conf.j2
new file mode 100644
index 00000000000..511de253ca6
--- /dev/null
+++ b/bin/tests/system/dnssec-unsupported-ds/ns3/named.conf.j2
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+        inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../_common/root.hint";
+};
+
+zone "child.example." {
+    type primary;
+    file "zones/child.example.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec-unsupported-ds/ns3/sign.sh b/bin/tests/system/dnssec-unsupported-ds/ns3/sign.sh
new file mode 100755
index 00000000000..08a5c797e6c
--- /dev/null
+++ b/bin/tests/system/dnssec-unsupported-ds/ns3/sign.sh
@@ -0,0 +1,32 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+set -e
+
+echo_i "ns3/sign.sh"
+
+zone=child.example.
+
+mkdir -p keys
+ksk=$("$KEYGEN" -K keys -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "${zone}")
+zsk=$("$KEYGEN" -K keys -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "${zone}")
+
+cat "zones/${zone}db.in" "keys/$ksk.key" "keys/$zsk.key" >"zones/${zone}db"
+
+"$SIGNER" -S -K "keys" \
+  -o "${zone}" \
+  -f "zones/${zone}db.signed" \
+  "zones/${zone}db" >/dev/null 2>&1
diff --git a/bin/tests/system/dnssec-unsupported-ds/ns3/zones/child.example.db.in b/bin/tests/system/dnssec-unsupported-ds/ns3/zones/child.example.db.in
new file mode 100644
index 00000000000..d35bf87f7d7
--- /dev/null
+++ b/bin/tests/system/dnssec-unsupported-ds/ns3/zones/child.example.db.in
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+child.example.	300	IN	SOA	ns1.child.example. admin.child.example. 2026021901 3600 900 86400 300
+api.child.example.	300	IN	A	192.0.2.102
+child.example.	300	IN	MX	10 mail.child.example.
+mail.child.example.	300	IN	A	192.0.2.101
+www.child.example.	300	IN	A	192.0.2.100
+ns1.child.example.	300	IN	A	10.53.0.3
+child.example.	300	IN	NS	ns1.child.example.
diff --git a/bin/tests/system/dnssec-unsupported-ds/ns4/named.conf.j2 b/bin/tests/system/dnssec-unsupported-ds/ns4/named.conf.j2
new file mode 100644
index 00000000000..af986ef5934
--- /dev/null
+++ b/bin/tests/system/dnssec-unsupported-ds/ns4/named.conf.j2
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+        inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../_common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec-unsupported-ds/setup.sh b/bin/tests/system/dnssec-unsupported-ds/setup.sh
new file mode 100755
index 00000000000..3b40ffc5bd0
--- /dev/null
+++ b/bin/tests/system/dnssec-unsupported-ds/setup.sh
@@ -0,0 +1,32 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+(
+  cd ns3
+  $SHELL sign.sh
+)
+
+(
+  cd ns2
+  $SHELL sign.sh
+)
+
+(
+  cd ns1
+  $SHELL sign.sh
+)
diff --git a/bin/tests/system/dnssec-unsupported-ds/tests_mixed_ds.py b/bin/tests/system/dnssec-unsupported-ds/tests_mixed_ds.py
new file mode 100644
index 00000000000..e1cf82c1324
--- /dev/null
+++ b/bin/tests/system/dnssec-unsupported-ds/tests_mixed_ds.py
@@ -0,0 +1,36 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import pytest
+
+import isctest
+
+pytestmark = pytest.mark.extra_artifacts(
+    [
+        "ns*/dsset-*",
+        "ns*/keys",
+        "ns*/keys/*.key",
+        "ns*/keys/*.private",
+        "ns*/trusted.conf",
+        "ns*/zones/*.db",
+        "ns*/zones/*.db.signed",
+    ]
+)
+
+
+def test_mixed_ds():
+    msg = isctest.query.create("child.example.", "DNSKEY")
+    res = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.servfail(res)
+
+    msg = isctest.query.create("child.example.", "A")
+    res = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.servfail(res)
diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py
index 1122180eaab..8d88a2693dd 100644
--- a/bin/tests/system/dnssec/tests_validation.py
+++ b/bin/tests/system/dnssec/tests_validation.py
@@ -407,9 +407,7 @@ def test_private_algorithms(ns4):
         res2 = isctest.query.tcp(msg, "10.53.0.4")
         isctest.check.noerror(res1)
         isctest.check.servfail(res2)
-        watcher.wait_for_line(
-            "no DNSKEY matching DS"
-        )
+        watcher.wait_for_line("no DNSKEY matching DS")
 
 
 @isctest.mark.extended_ds_digest