From: Evan Hunt Date: Tue, 28 Jan 2025 05:44:51 +0000 (-0800) Subject: add a test with an inconsistent NS RRset X-Git-Tag: ondrej/lock-free-qpzone-reads-v1~46^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e4652a0444a514773686e75752ad5c65daa753d5;p=thirdparty%2Fbind9.git add a test with an inconsistent NS RRset add a zone with different NS RRsets in the parent and child, and test resolver and forwarder behavior with and without +CD. --- diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in index 419e613c900..8a057f1b0ec 100644 --- a/bin/tests/system/dnssec/ns1/root.db.in +++ b/bin/tests/system/dnssec/ns1/root.db.in @@ -43,3 +43,5 @@ dnskey-rrsigs-stripped. NS ns2.dnskey-rrsigs-stripped. ns2.dnskey-rrsigs-stripped. A 10.53.0.2 ds-rrsigs-stripped. NS ns2.ds-rrsigs-stripped. ns2.ds-rrsigs-stripped. A 10.53.0.2 +inconsistent. NS ns2.inconsistent. +ns2.inconsistent. A 10.53.0.2 diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 2e9f3c23e49..e911c9942ab 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -33,6 +33,7 @@ cp "../ns2/dsset-lazy-ksk." . cp "../ns2/dsset-peer-ns-spoof." . cp "../ns2/dsset-dnskey-rrsigs-stripped." . cp "../ns2/dsset-ds-rrsigs-stripped." . +cp "../ns2/dsset-inconsistent." . grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll." cp "../ns6/dsset-optout-tld." . diff --git a/bin/tests/system/dnssec/ns2/inconsistent.db.in b/bin/tests/system/dnssec/ns2/inconsistent.db.in new file mode 100644 index 00000000000..0f9c2115449 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/inconsistent.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns2.example. . ( + 2010042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2.example. + NS ns3.example. + A 10.53.0.1 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 454472d33ed..3b31574579a 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -207,6 +207,11 @@ zone "too-many-iterations" { file "too-many-iterations.db.signed"; }; +zone "inconsistent" { + type primary; + file "inconsistent.db.signed"; +}; + zone "lazy-ksk" { type primary; file "lazy-ksk.db"; diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 1f4b47c4a90..6d10c7f8a52 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -432,3 +432,14 @@ cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" | awk '$4 == "SOA" { $7 = $7 + 1; print; next } { print }' >"$zonefile.next" "$SIGNER" -g -o "$zone" -f "$zonefile.next" "$zonefile.next" >/dev/null 2>&1 cp "$zonefile.stripped" "$zonefile.signed" + +# +# Inconsistent NS RRset between parent and child +# +zone=inconsistent +infile=inconsistent.db.in +zonefile=inconsistent.db +key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$key1.key" "$key2.key" >"$zonefile" +"$SIGNER" -3 - -g -o "$zone" "$zonefile" >/dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in index 21fb38db9d8..d6a44c799de 100644 --- a/bin/tests/system/dnssec/ns4/named3.conf.in +++ b/bin/tests/system/dnssec/ns4/named3.conf.in @@ -26,6 +26,8 @@ options { bindkeys-file "managed.conf"; dnssec-accept-expired yes; minimal-responses no; + servfail-ttl 0; + disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";}; disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; diff --git a/bin/tests/system/dnssec/ns9/named.conf.in b/bin/tests/system/dnssec/ns9/named.conf.in index 06530a08c1b..cdbe7ec8eac 100644 --- a/bin/tests/system/dnssec/ns9/named.conf.in +++ b/bin/tests/system/dnssec/ns9/named.conf.in @@ -25,6 +25,7 @@ options { dnssec-validation yes; forward only; forwarders { 10.53.0.4; }; + servfail-ttl 0; }; key rndc_key { diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 5c5651aac09..f00a7201eed 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -4666,5 +4666,21 @@ n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +echo_i "checking validator behavior with mismatching NS ($n)" +ret=0 +rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +$DIG +tcp +cd -p "$PORT" -t ns inconsistent @10.53.0.4 >dig.out.ns4.test$n.1 || ret=1 +grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2" dig.out.ns4.test$n.1 >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n.1 >/dev/null && ret=1 +$DIG +tcp +cd +dnssec -p "$PORT" -t ns inconsistent @10.53.0.4 >dig.out.ns4.test$n.2 || ret=1 +grep "ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2" dig.out.ns4.test$n.2 >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n.2 >/dev/null && ret=1 +$DIG +tcp +dnssec -p "$PORT" -t ns inconsistent @10.53.0.4 >dig.out.ns4.test$n.3 || ret=1 +grep "ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1" dig.out.ns4.test$n.3 >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n.3 >/dev/null || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index f6909dd8ad5..cf374f1dfb5 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -70,6 +70,7 @@ pytestmark = pytest.mark.extra_artifacts( "ns2/settime.out.updatecheck-kskonly.secure.zsk", "ns2/single-nsec3.db", "ns2/too-many-iterations.db", + "ns2/inconsistent.db", "ns2/trusted.db", "ns2/updatecheck-kskonly.secure.ksk.id", "ns2/updatecheck-kskonly.secure.ksk.key",