From: Nicki Křížek Date: Thu, 10 Jul 2025 13:21:05 +0000 (+0200) Subject: Split up badkey tests into separate modules X-Git-Tag: v9.21.11~13^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b7a2061e5fec310c2355c589863eb91b935599a6;p=thirdparty%2Fbind9.git Split up badkey tests into separate modules If nsX.reconfigure() is used in a way that might affect other tests within the same module, it's best to split up the tests which need the reconfig to a separate module. This ensures the reconfigure() won't interfere with test results in case the tests are executed separately, or in a different order. --- diff --git a/bin/tests/system/dnssec/ns9/named.conf.j2 b/bin/tests/system/dnssec/ns9/named.conf.j2 index 3b0e39d3b5f..2a335b5a9ff 100644 --- a/bin/tests/system/dnssec/ns9/named.conf.j2 +++ b/bin/tests/system/dnssec/ns9/named.conf.j2 @@ -13,6 +13,8 @@ // NS9 +{% set forward_badkey = forward_badkey | default(False) %} + options { query-source address 10.53.0.9; notify-source 10.53.0.9; @@ -24,7 +26,6 @@ options { recursion yes; dnssec-validation yes; forward only; -{% set forward_badkey = forward_badkey | default(False) %} {% if forward_badkey %} forwarders { 10.53.0.5; }; {% else %} diff --git a/bin/tests/system/dnssec/tests_badkey.py b/bin/tests/system/dnssec/tests_badkey.py index ef3c20b2519..ca80734d4d7 100644 --- a/bin/tests/system/dnssec/tests_badkey.py +++ b/bin/tests/system/dnssec/tests_badkey.py @@ -87,38 +87,3 @@ def test_misconfigured_ta_with_cd(check, qname, qtype, rcode_func): res2 = isctest.query.tcp(msg, "10.53.0.4") isctest.check.noadflag(res2) isctest.check.same_answer(res, res2) - - -def test_revoked_init(servers, templates): - # use a revoked key and try to reiniitialize; check for failure - ns5 = servers["ns5"] - templates.render("ns5/named.conf", {"revoked_key": True}) - ns5.reconfigure(log=False) - - msg = isctest.query.create(".", "SOA") - res = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.servfail(res) - - -def test_broken_forwarding(servers, templates): - # check forwarder CD behavior (forward server with bad trust anchor) - ns5 = servers["ns5"] - templates.render("ns5/named.conf", {"broken_key": True}) - ns5.reconfigure(log=False) - - ns9 = servers["ns9"] - templates.render("ns9/named.conf", {"forward_badkey": True}) - ns9.reconfigure(log=False) - - # confirm invalid trust anchor produces SERVFAIL in resolver - msg = isctest.query.create("a.secure.example.", "A") - res = isctest.query.tcp(msg, "10.53.0.5") - isctest.check.servfail(res) - - # check that lookup involving forwarder succeeds and SERVFAIL was received - with ns9.watch_log_from_here() as watcher: - msg = isctest.query.create("a.secure.example.", "SOA") - res = isctest.query.tcp(msg, "10.53.0.9") - isctest.check.noerror(res) - assert (res.flags & flags.AD) != 0 - watcher.wait_for_line("status: SERVFAIL") diff --git a/bin/tests/system/dnssec/tests_badkey_broken.py b/bin/tests/system/dnssec/tests_badkey_broken.py new file mode 100644 index 00000000000..5d09a862ea8 --- /dev/null +++ b/bin/tests/system/dnssec/tests_badkey_broken.py @@ -0,0 +1,45 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from dns import flags + +import pytest + +import isctest + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(servers, templates): + ns5 = servers["ns5"] + templates.render("ns5/named.conf", {"broken_key": True}) + ns5.reconfigure(log=False) + + ns9 = servers["ns9"] + templates.render("ns9/named.conf", {"forward_badkey": True}) + ns9.reconfigure(log=False) + + +def test_broken_forwarding(servers): + # check forwarder CD behavior (forward server with bad trust anchor) + ns9 = servers["ns9"] + + # confirm invalid trust anchor produces SERVFAIL in resolver + msg = isctest.query.create("a.secure.example.", "A") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res) + + # check that lookup involving forwarder succeeds and SERVFAIL was received + with ns9.watch_log_from_here() as watcher: + msg = isctest.query.create("a.secure.example.", "SOA") + res = isctest.query.tcp(msg, "10.53.0.9") + isctest.check.noerror(res) + assert (res.flags & flags.AD) != 0 + watcher.wait_for_line("status: SERVFAIL") diff --git a/bin/tests/system/dnssec/tests_badkey_revoked.py b/bin/tests/system/dnssec/tests_badkey_revoked.py new file mode 100644 index 00000000000..eba2eaba02e --- /dev/null +++ b/bin/tests/system/dnssec/tests_badkey_revoked.py @@ -0,0 +1,28 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import pytest + +import isctest + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(servers, templates): + ns5 = servers["ns5"] + templates.render("ns5/named.conf", {"revoked_key": True}) + ns5.reconfigure(log=False) + + +def test_revoked_init(): + # use a revoked key and check for failure when using revoked key + msg = isctest.query.create(".", "SOA") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.servfail(res)