From: Matthijs Mekking Date: Thu, 30 Apr 2026 08:17:40 +0000 (+0200) Subject: Add kasp test case for root with checkds enabled X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e9af18e4a0a2ed8e80692f9322073e258a5a433;p=thirdparty%2Fbind9.git Add kasp test case for root with checkds enabled Add a test case where the root zone has dnssec-policy configured, with checkds enabled. This is a silly case because the root does not have any parent NS records, but it should not crash the server. The same is true for zones that do not have parent NS records, but eventually they will hit the same code path. --- diff --git a/bin/tests/system/kasp/ns1/named.conf.j2 b/bin/tests/system/kasp/ns1/named.conf.j2 new file mode 100644 index 00000000000..4280a2829cf --- /dev/null +++ b/bin/tests/system/kasp/ns1/named.conf.j2 @@ -0,0 +1,21 @@ +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + allow-transfer { any; }; +}; + +zone "." { + type primary; + file "root.db"; + dnssec-policy default; + checkds yes; +}; diff --git a/bin/tests/system/kasp/ns1/root.db.j2 b/bin/tests/system/kasp/ns1/root.db.j2 new file mode 100644 index 00000000000..709558ab2bf --- /dev/null +++ b/bin/tests/system/kasp/ns1/root.db.j2 @@ -0,0 +1,10 @@ +$TTL 300 +. IN SOA . a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/kasp/ns1/setup.sh b/bin/tests/system/kasp/ns1/setup.sh new file mode 100644 index 00000000000..f1b8eaa5bbb --- /dev/null +++ b/bin/tests/system/kasp/ns1/setup.sh @@ -0,0 +1,31 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns1/setup.sh" + +# Make lines shorter by storing key states in environment variables. +H="HIDDEN" +O="OMNIPRESENT" + +zone="." +echo_i "setting up zone: $zone" +Tpub="now-30d" +Tact="now-1d" +keytimes="-P ${Tpub} -A ${Tact}" +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 $keytimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $Tpub -r $O $Tpub -d $H $Tact -z $O $Tpub "$CSK" >settime.out.$zone.1 2>&1 +echo "KSK: yes" >>"${CSK}".state +echo "ZSK: yes" >>"${CSK}".state diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh index 2b8cf6b4d86..acf6052a89a 100644 --- a/bin/tests/system/kasp/setup.sh +++ b/bin/tests/system/kasp/setup.sh @@ -20,6 +20,10 @@ mkdir keys mkdir ns3/keys # Setup zones +( + cd ns1 + $SHELL setup.sh +) ( cd ns2 $SHELL setup.sh diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py index 0c4f42ffda7..7fc28050310 100644 --- a/bin/tests/system/kasp/tests_kasp.py +++ b/bin/tests/system/kasp/tests_kasp.py @@ -80,6 +80,7 @@ pytestmark = pytest.mark.extra_artifacts( "ns*/signer.out.*", "ns*/zones", "ns*/policies/*.conf", + "ns1/managed-keys.*", "ns3/legacy-keys.*", "ns3/dynamic-signed-inline-signing.kasp.db.signed.signed", "ns4/purgekeys.conf", @@ -87,6 +88,18 @@ pytestmark = pytest.mark.extra_artifacts( ] ) +default_config = { + "dnskey-ttl": timedelta(hours=1), + "ds-ttl": timedelta(days=1), + "max-zone-ttl": timedelta(days=1), + "parent-propagation-delay": timedelta(hours=1), + "publish-safety": timedelta(hours=1), + "purge-keys": timedelta(days=90), + "retire-safety": timedelta(hours=1), + "signatures-refresh": timedelta(days=5), + "signatures-validity": timedelta(days=14), + "zone-propagation-delay": timedelta(minutes=5), +} kasp_config = { "dnskey-ttl": timedelta(seconds=1234), @@ -1764,3 +1777,28 @@ def test_kasp_manual_mode(ns3, default_algorithm): isctest.kasp.check_keys(zone, keys, expected) check_all(ns3, zone, policy, ksks, zsks, manual_mode=True) isctest.kasp.check_dnssec_verify(ns3, zone) + + +def test_root_case(ns1): + keydir = ns1.identifier + + # Get test parameters. + zone = "" + policy = "default" + ttl = 3600 + + isctest.kasp.wait_keymgr_done(ns1, ".") + + # Test case. + isctest.log.info(f"check root zone with policy {policy}") + + # First make sure the zone is signed. + isctest.kasp.check_dnssec_verify(ns1, zone) + + # Check key properties. DS is expected to go to rumoured, so checkds kicks in. + keyprops = [ + "csk 0 13 256 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured", + ] + expected = isctest.kasp.policy_to_properties(ttl=ttl, keys=keyprops) + keys = isctest.kasp.keydir_to_keylist(zone, keydir) + isctest.kasp.check_keys(zone, keys, expected)