From: Colin Vidal Date: Tue, 16 Dec 2025 18:33:50 +0000 (+0100) Subject: update SERVFAIL cache test X-Git-Tag: v9.21.17~31^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d07deba6158bb0cd16c02917350e79c3f75197c5;p=thirdparty%2Fbind9.git update SERVFAIL cache test An existing SERVFAIL cache test is updated as it initially checks there are no EDE (the first SERVFAIL) then immediately re-does the same query, (still SERVFAIL), and expect the CACHED_ERROR EDE. However, the configuration used for this test to generate a SERVFAIL is a broken DNSSEC configuration, where the DNSKEY is not the expected one (it's a ZSK instead of a KZK). As a result, the first attempt also now raise an EDE (MISSING_DNSKEY). --- diff --git a/bin/tests/system/sfcache/ns2/sign.sh b/bin/tests/system/sfcache/ns2/sign.sh index fa5cf501328..867c8b658f9 100644 --- a/bin/tests/system/sfcache/ns2/sign.sh +++ b/bin/tests/system/sfcache/ns2/sign.sh @@ -20,6 +20,10 @@ zone=example. infile=example.db.in zonefile=example.db +# The zone is signed but it's broken: instead of having a ZSK and a KSK (which +# is the DNSKEY pointed by the parent's DS), it has two ZSKs. As a result, +# `example.` validations will always fail, resulting into a SERVFAIL on +# validating resolvers. keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") diff --git a/bin/tests/system/sfcache/tests_sfcache.py b/bin/tests/system/sfcache/tests_sfcache.py index 4802fbafa96..bed8b36da9d 100644 --- a/bin/tests/system/sfcache/tests_sfcache.py +++ b/bin/tests/system/sfcache/tests_sfcache.py @@ -20,9 +20,11 @@ def check_sfcache_ede(ns, ede): res = isctest.query.udp(msg, ns.ip) isctest.check.servfail(res) if ede: + # The SERVFAIL is cached, so now it shows up the EDE CACHED_ERROR, but not the DNSKEY_MISSING. isctest.check.ede(res, EDECode.CACHED_ERROR) else: - isctest.check.noede(res) + # example. domain DNSSEC is misconfigured on ns2, as it have two ZSK but no KSK. As a result, the DNSKEY for example. can't be found. + isctest.check.ede(res, EDECode.DNSKEY_MISSING) def test_sfcache_ede(ns5, templates):