From: Evan Hunt Date: Sun, 3 May 2026 07:41:58 +0000 (-0700) Subject: Add a test with an active truncated key X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a225d04fd211a0d5f6bf736db78ab59c85ab514c;p=thirdparty%2Fbind9.git Add a test with an active truncated key Check that an invalid truncated key is handled correctly. (cherry picked from commit a812bc52eb566be8cd5f5c962521da53be2654ad) --- diff --git a/bin/tests/system/dnssec_malformed_dnskey/ns2/named.conf.j2 b/bin/tests/system/dnssec_malformed_dnskey/ns2/named.conf.j2 index 8aa4a3ea029..137abbb4c89 100644 --- a/bin/tests/system/dnssec_malformed_dnskey/ns2/named.conf.j2 +++ b/bin/tests/system/dnssec_malformed_dnskey/ns2/named.conf.j2 @@ -34,9 +34,14 @@ zone example. { file "example.db.signed.malformed"; }; -zone truncated.selfsigned. { +zone truncated-active.selfsigned. { type primary; - file "truncated.selfsigned.db.signed"; + file "truncated-active.selfsigned.db.signed"; +}; + +zone truncated-revoked.selfsigned. { + type primary; + file "truncated-revoked.selfsigned.db.signed"; }; include "trusted.conf"; diff --git a/bin/tests/system/dnssec_malformed_dnskey/ns2/truncated-active.selfsigned.db.signed b/bin/tests/system/dnssec_malformed_dnskey/ns2/truncated-active.selfsigned.db.signed new file mode 100644 index 00000000000..16416bfeb09 --- /dev/null +++ b/bin/tests/system/dnssec_malformed_dnskey/ns2/truncated-active.selfsigned.db.signed @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 + +@ IN SOA mname1. . ( + 1 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) + +@ NS @ +@ A 10.53.0.2 + +; The following DNSKEY is too short for the algorithm, but will be +; accepted by the DNSKEY parser code, which only checks for minimum length. +@ DNSKEY 257 3 14 fYA= + +@ RRSIG SOA 14 2 86400 20950926153053 20251013153053 33167 @ xxxx5f7U0DiPvKFxpB83mTyqkAO0TfM0 xe4ZMYoJUQEPYdd0GTNkFzI6crsbU0lQ t/V1YOxAt5B+T1ch9n5dhYwt7ZTqluI2 mr6myKMesdPl1zp1hEgkmFpCG3NOXl2Z +@ RRSIG NS 14 2 86400 20950926153053 20251013153053 33167 @ xxxxLBPc05g7v/K5UfGuXsHH8xd29eQb 5qWe+Ei4Qn0GlmH0x/VIJiJMZXuxD5S+ VhP7DiX7uKIxi0QS2DOK1aOMXq/2WiUV 2VBmYAoSUilMlJY84I2XbzqD5iz5y+yp +@ RRSIG A 14 2 86400 20950926153053 20251013153053 33167 @ xxxx6UguMh8jgdVox2UVURjEsAP0D8o2 mFofnFOd6eYf+49QlWD+GX6x60X/hPVi f2XFsajouCvT/ZSmoXKWad3RC1DLHF/H TdOGMKlT4DfvbeJV+N5N0bgu2Wv3QRdM +@ RRSIG DNSKEY 14 2 86400 20950926153053 20251013153053 33167 @ xxxxqayRNsL32Km0c9AjwN0RNktt4iGb 97Dwi0uiHPcM4eVNZR2w68XMUh43+nR1 DA1QE2RqIqt7soEIwi1z4kAczf7W1wrP 7dcbEwjxS9D1CefuNRG1xnj9wGsqKecI +@ NSEC a A NS SOA RRSIG NSEC DNSKEY +@ RRSIG NSEC 14 2 0 20950926153053 20251013153053 33167 @ xxxx4Y6vqeOJHWEeg0T0OY4z7BdDrTkn BY9Yra8zSjFEGZvIX3irPd81+u5xlA0T 9waJO2Y9W42IMrOeKdQt++QXVHsLhOYn 4NAF6RotHSb4cqv1DXI1PSchMaJ5FWwD diff --git a/bin/tests/system/dnssec_malformed_dnskey/ns2/truncated.selfsigned.db.signed b/bin/tests/system/dnssec_malformed_dnskey/ns2/truncated-revoked.selfsigned.db.signed similarity index 100% rename from bin/tests/system/dnssec_malformed_dnskey/ns2/truncated.selfsigned.db.signed rename to bin/tests/system/dnssec_malformed_dnskey/ns2/truncated-revoked.selfsigned.db.signed diff --git a/bin/tests/system/dnssec_malformed_dnskey/ns2/trusted.conf.j2 b/bin/tests/system/dnssec_malformed_dnskey/ns2/trusted.conf.j2 index b7e95e76f1e..730c2e0ba7b 100644 --- a/bin/tests/system/dnssec_malformed_dnskey/ns2/trusted.conf.j2 +++ b/bin/tests/system/dnssec_malformed_dnskey/ns2/trusted.conf.j2 @@ -14,14 +14,17 @@ trust-anchors { example. static-key 257 3 14 "@ksk_public_key@"; + truncated-active.selfsigned. static-key 257 3 14 "fYA="; + /* * The key tag in the trust anchor must match that of the revoked - * truncated self-signed key in the truncated.selfsigned. zone. + * truncated self-signed key in the truncated-revoked.selfsigned. + * zone. * * The DNSKEY contents are intentionally different here, because the * key doesn't have the revoked bit here and that flag is part of the * key tag. The following decodes to key tag 33167, which is the same * as the revoked truncated key in the zone file. */ - truncated.selfsigned. static-key 257 3 14 "fYA="; + truncated-revoked.selfsigned. static-key 257 3 14 "fYA="; }; diff --git a/bin/tests/system/dnssec_malformed_dnskey/ns3/named.conf.j2 b/bin/tests/system/dnssec_malformed_dnskey/ns3/named.conf.j2 index 09827b30f77..6fb979b5caf 100644 --- a/bin/tests/system/dnssec_malformed_dnskey/ns3/named.conf.j2 +++ b/bin/tests/system/dnssec_malformed_dnskey/ns3/named.conf.j2 @@ -28,7 +28,12 @@ zone "example." { server-addresses { 10.53.0.2; }; }; -zone "truncated.selfsigned." { +zone "truncated-active.selfsigned." { + type static-stub; + server-addresses { 10.53.0.2; }; +}; + +zone "truncated-revoked.selfsigned." { type static-stub; server-addresses { 10.53.0.2; }; }; diff --git a/bin/tests/system/dnssec_malformed_dnskey/tests_malformed_dnskey.py b/bin/tests/system/dnssec_malformed_dnskey/tests_malformed_dnskey.py index 05545c1ef40..a162042b7f4 100644 --- a/bin/tests/system/dnssec_malformed_dnskey/tests_malformed_dnskey.py +++ b/bin/tests/system/dnssec_malformed_dnskey/tests_malformed_dnskey.py @@ -194,7 +194,13 @@ def test_multiple_rrsigs(ns3): isctest.check.servfail(res) -def test_truncated_dnskey(): - msg = isctest.query.create("a.truncated.selfsigned.", "A") +def test_truncated_active_dnskey(): + msg = isctest.query.create("a.truncated-active.selfsigned.", "A") + res = isctest.query.tcp(msg, "10.53.0.3") + isctest.check.servfail(res) + + +def test_truncated_revoked_dnskey(): + msg = isctest.query.create("a.truncated-revoked.selfsigned.", "A") res = isctest.query.tcp(msg, "10.53.0.3") isctest.check.servfail(res)