From: Petr Špaček Date: Fri, 11 Jul 2025 08:22:33 +0000 (+0200) Subject: Test proof of nonexistance of DS in insecure referrals X-Git-Tag: v9.21.11~22^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=548632b18aee8fa05c67a0284522a1e19183310c;p=thirdparty%2Fbind9.git Test proof of nonexistance of DS in insecure referrals Currently this test is limited only to auth because currently BIND resolver does not send DS proof of nonexistence for RD=0 queries. --- diff --git a/bin/tests/system/nsec3-answer/tests_nsec3.py b/bin/tests/system/nsec3-answer/tests_nsec3.py index 578b5ddc057..fad7595bbd0 100755 --- a/bin/tests/system/nsec3-answer/tests_nsec3.py +++ b/bin/tests/system/nsec3-answer/tests_nsec3.py @@ -65,10 +65,35 @@ def do_test_query( ) def test_nodata(server, qname: dns.name.Name, named_port: int) -> None: """An existing name, no wildcards, but a query type for RRset which does not exist""" + _, nsec3check = do_test_query(qname, dns.rdatatype.HINFO, server, named_port) + check_nodata(qname, nsec3check) + + +@pytest.mark.parametrize("server", [pytest.param(AUTH, id="ns1")]) +@given( + qname=dns_names( + suffix=(ZONE.delegations - ZONE.get_names_with_type(dns.rdatatype.DS)) + ) +) +def test_nodata_ds(server, qname: dns.name.Name, named_port: int) -> None: + """Auth sends proof of nonexistance with referral without DS RR. Opt-out is not supported.""" response, nsec3check = do_test_query(qname, dns.rdatatype.HINFO, server, named_port) - assert response.rcode() is dns.rcode.NOERROR - nsec3check.prove_name_exists(qname) + nsrr = None + for rrset in response.authority: + if rrset.rdtype == dns.rdatatype.NS: + nsrr = rrset + break + assert nsrr is not None, "NS RRset missing in delegation answer" + + # DS RR does not exist so we must prove it by having NSEC3 with QNAME + check_nodata(nsrr.name, nsec3check) + + +def check_nodata(name: dns.name.Name, nsec3check: "NSEC3Checker"): + assert nsec3check.response.rcode() is dns.rcode.NOERROR + + nsec3check.prove_name_exists(name) nsec3check.check_extraneous_rrs()