From: Matthijs Mekking Date: Fri, 12 Dec 2025 14:49:19 +0000 (+0100) Subject: Test invalid DSYNC RRset is rejected X-Git-Tag: v9.21.17~21^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e69eb0528a8fa301bf12fc5832693ef55328234c;p=thirdparty%2Fbind9.git Test invalid DSYNC RRset is rejected The RFC says There MUST NOT be more than one DSYNC record for each combination of RRtype and Scheme. If we encounter more we should drop the response, as the DSYNC RRset is invalid. --- diff --git a/bin/tests/system/multisigner/ns1/root.db.in b/bin/tests/system/multisigner/ns1/root.db.in index 395e28089ec..e96ade64a8b 100644 --- a/bin/tests/system/multisigner/ns1/root.db.in +++ b/bin/tests/system/multisigner/ns1/root.db.in @@ -23,5 +23,8 @@ a.root-servers.nil. A 10.53.0.1 multisigner. NS ns2.multisigner. ns2.multisigner. A 10.53.0.2 +bad-dsync. NS ns2.bad-dsync. +ns2.bad-dsync. A 10.53.0.2 + secondary. NS ns2.secondary. ns2.secondary. A 10.53.0.2 diff --git a/bin/tests/system/multisigner/ns1/setup.sh b/bin/tests/system/multisigner/ns1/setup.sh index 293f6ff1923..b6cf3028d1a 100644 --- a/bin/tests/system/multisigner/ns1/setup.sh +++ b/bin/tests/system/multisigner/ns1/setup.sh @@ -22,7 +22,7 @@ zonefile=root.db echo_i "ns1/setup.sh" -for tld in multisigner secondary; do +for tld in multisigner bad-dsync secondary; do cp "../ns2/dsset-${tld}." . done diff --git a/bin/tests/system/multisigner/ns2/bad-dsync.db.in.j2 b/bin/tests/system/multisigner/ns2/bad-dsync.db.in.j2 new file mode 100644 index 00000000000..b84eb5afec7 --- /dev/null +++ b/bin/tests/system/multisigner/ns2/bad-dsync.db.in.j2 @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +$ORIGIN bad-dsync. + +bad-dsync. IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 + +scanner A 10.53.0.2 + +model2 NS ns3 + NS ns4 + +ns3.model2 A 10.53.0.3 +ns4.model2 A 10.53.0.4 + +*._dsync DSYNC CDS NOTIFY @PORT@ scanner1 +*._dsync DSYNC CDS NOTIFY @PORT@ scanner2 diff --git a/bin/tests/system/multisigner/ns2/named.conf.j2 b/bin/tests/system/multisigner/ns2/named.conf.j2 index 951c840d495..f2ef9302afd 100644 --- a/bin/tests/system/multisigner/ns2/named.conf.j2 +++ b/bin/tests/system/multisigner/ns2/named.conf.j2 @@ -40,6 +40,11 @@ zone "multisigner" { file "multisigner.db.signed"; }; +zone "bad-dsync" { + type primary; + file "bad-dsync.db.signed"; +}; + zone "secondary" { type primary; file "secondary.db.signed"; diff --git a/bin/tests/system/multisigner/ns2/setup.sh b/bin/tests/system/multisigner/ns2/setup.sh index 025c5d32047..4fd349125dc 100644 --- a/bin/tests/system/multisigner/ns2/setup.sh +++ b/bin/tests/system/multisigner/ns2/setup.sh @@ -35,4 +35,5 @@ setup() { } setup "multisigner" +setup "bad-dsync" setup "secondary" diff --git a/bin/tests/system/multisigner/ns3/model2.bad-dsync.db b/bin/tests/system/multisigner/ns3/model2.bad-dsync.db new file mode 100644 index 00000000000..5850e016b9a --- /dev/null +++ b/bin/tests/system/multisigner/ns3/model2.bad-dsync.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/multisigner/ns3/named.conf.j2 b/bin/tests/system/multisigner/ns3/named.conf.j2 index fc51c882f42..b56f01bf279 100644 --- a/bin/tests/system/multisigner/ns3/named.conf.j2 +++ b/bin/tests/system/multisigner/ns3/named.conf.j2 @@ -46,6 +46,14 @@ zone "model2.multisigner." { inline-signing no; }; +zone "model2.bad-dsync." { + type primary; + allow-update { any; }; + file "model2.bad-dsync.db"; + dnssec-policy model2; + inline-signing no; +}; + zone "model2.secondary." { type secondary; primaries { 10.53.0.5; }; diff --git a/bin/tests/system/multisigner/ns3/setup.sh b/bin/tests/system/multisigner/ns3/setup.sh index 2194f4e8d8b..50f26480f7f 100644 --- a/bin/tests/system/multisigner/ns3/setup.sh +++ b/bin/tests/system/multisigner/ns3/setup.sh @@ -29,6 +29,15 @@ $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 $DSFROMKEY $KSK.key >dsset-ns3-${zone}. +zone="model2.bad-dsync" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone) +$SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 +$DSFROMKEY $KSK.key >dsset-ns3-${zone}. + zone="model2.secondary" echo_i "setting up zone: $zone" zonefile="${zone}.db" diff --git a/bin/tests/system/multisigner/ns4/model2.bad-dsync.db b/bin/tests/system/multisigner/ns4/model2.bad-dsync.db new file mode 100644 index 00000000000..86a1708b458 --- /dev/null +++ b/bin/tests/system/multisigner/ns4/model2.bad-dsync.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns4 +ns4 A 10.53.0.4 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/multisigner/ns4/named.conf.j2 b/bin/tests/system/multisigner/ns4/named.conf.j2 index 017dd6c50af..3d551d04c40 100644 --- a/bin/tests/system/multisigner/ns4/named.conf.j2 +++ b/bin/tests/system/multisigner/ns4/named.conf.j2 @@ -46,6 +46,14 @@ zone "model2.multisigner." { inline-signing yes; }; +zone "model2.bad-dsync." { + type primary; + allow-update { any; }; + file "model2.bad-dsync.db"; + dnssec-policy model2; + inline-signing yes; +}; + zone "model2.secondary." { type secondary; primaries { 10.53.0.5; }; diff --git a/bin/tests/system/multisigner/ns4/setup.sh b/bin/tests/system/multisigner/ns4/setup.sh index d50d3bd26c0..bb13b8bede0 100644 --- a/bin/tests/system/multisigner/ns4/setup.sh +++ b/bin/tests/system/multisigner/ns4/setup.sh @@ -29,6 +29,15 @@ $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 $DSFROMKEY $KSK.key >dsset-ns4-${zone}. +zone="model2.bad-dsync" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone) +$SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 +$DSFROMKEY $KSK.key >dsset-ns4-${zone}. + zone="model2.secondary" echo_i "setting up zone: $zone" zonefile="${zone}.db" diff --git a/bin/tests/system/multisigner/tests_multisigner.py b/bin/tests/system/multisigner/tests_multisigner.py index bc53c249750..15726f1eb14 100644 --- a/bin/tests/system/multisigner/tests_multisigner.py +++ b/bin/tests/system/multisigner/tests_multisigner.py @@ -595,6 +595,25 @@ def test_multisigner(ns2, ns3, ns4): check_no_dnssec_in_journal(ns4, zone) +def test_multisigner_bad_dsync(ns3, ns4): + zone = "model2.bad-dsync" + + # First make sure the zone is properly signed. + isctest.log.info(f"basic DNSSEC tests for {zone}") + isctest.kasp.wait_keymgr_done(ns3, zone) + isctest.kasp.wait_keymgr_done(ns4, zone) + + with ns3.watch_log_from_start() as watcher: + watcher.wait_for_line( + f"zone {zone}/IN: dsyncfetch: multiple DSYNC records matching NOTIFY scheme and CDS RRtype, dropping response" + ) + + with ns4.watch_log_from_start() as watcher: + watcher.wait_for_line( + f"zone {zone}/IN (signed): dsyncfetch: multiple DSYNC records matching NOTIFY scheme and CDS RRtype, dropping response" + ) + + def test_multisigner_secondary(ns2, ns3, ns4, ns5): zone = "model2.secondary" keyprops = [