+++ /dev/null
-options {
- query-source address 10.53.0.2;
- notify-source 10.53.0.2;
- transfer-source 10.53.0.2;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.2; };
- listen-on-v6 { none; };
- allow-transfer { any; };
- recursion no;
- dnssec-validation yes;
-};
-
-zone truncated.selfsigned. {
- type primary;
- file "truncated.selfsigned.db.signed";
-};
-
-include "trusted.conf";
+++ /dev/null
-trust-anchors {
- /*
- * The key tag in the trust anchor must match that of the revoked
- * truncated self-signed key in the truncated.selfsigned. zone.
- *
- * The DNSKEY contents are intentionally different here, because the
- * key doesn't have the revoked bit here and that flag is part of the
- * key tag. The following decodes to key tag 33167, which is the same
- * as the revoked truncated key in the zone file.
- */
- truncated.selfsigned. static-key 257 3 14 "fYA=";
-};
+++ /dev/null
-options {
- query-source address 10.53.0.3;
- notify-source 10.53.0.3;
- transfer-source 10.53.0.3;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.3; };
- listen-on-v6 { none; };
- allow-transfer { any; };
- dnssec-validation yes;
-
- /* This is the default, but the test relies on it. */
- max-validation-failures-per-fetch 1;
-};
-
-zone "example." {
- type static-stub;
- server-addresses { 10.53.0.2; };
-};
-
-zone "truncated.selfsigned." {
- type static-stub;
- server-addresses { 10.53.0.2; };
-};
-
-include "trusted.conf";
+++ /dev/null
-../ns2/trusted.conf.j2
\ No newline at end of file
+++ /dev/null
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-import base64
-import isctest
-
-
-def test_truncated_dnskey():
- msg = isctest.query.create("a.truncated.selfsigned.", "A")
- res = isctest.query.tcp(msg, "10.53.0.3")
- isctest.check.servfail(res)
+{% raw %}
$TTL 300
@ IN SOA mname1. . (
a RRSIG A 14 3 86400 20950926153053 20251013153053 33167 @ xxxxv31CNatB9xzj3AfTMlwiO0OqxbpJ cWrHN8zjj1ScXpqrHITfG/CZpoECDLWF wkXshDB/QMxHrnXkPKEcR2c9o5tcQT5R nHvtr7HT4Ob5PcY5DnItf3OWhE+bocmW
a NSEC @ A RRSIG NSEC
a RRSIG NSEC 14 3 0 20950926153053 20251013153053 33167 @ xxxxwMWbUxb3ScBKEVheQ2wFqujc6cyt 28GVCU0wPrBpK72HSsgdYme7IG8ZXGfa IWSU1Kf/om5+El7Tf2vDs7aI1yI7e7YG D5IxMejQg5v3/wtP7AJZXP5K9ICjq/ph
+{% endraw %}
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from re import compile as Re
+
+from dnssec_py.common import DNSSEC_PY_MARK
+from isctest.template import NS2, TrustAnchor, zones
+from isctest.zone import Zone, configure_root
+
+import isctest
+
+pytestmark = DNSSEC_PY_MARK
+
+
+def bootstrap():
+ zone = Zone("truncated.selfsigned", NS2, signed=True)
+
+ root = configure_root([zone], signed=False) # just delegation, TA is added directly
+
+ # The trust anchor key tag must match the revoked truncated self-signed key
+ # in the zone (key tag 33167). The flags differ here (257 vs 385) because
+ # the revoked bit is not part of the trust anchor, but it is part of the key
+ # tag calculation.
+ zone_ta = TrustAnchor("truncated.selfsigned", "static-key", '257 3 14 "fYA="')
+
+ return {
+ "trust_anchors": [zone_ta],
+ "zones": zones([root, zone]),
+ }
+
+
+def test_truncated_dnskey(ns9):
+ msg = isctest.query.create("a.truncated.selfsigned.", "A")
+ with ns9.watch_log_from_here() as watcher:
+ res = isctest.query.tcp(msg, ns9.ip)
+ watcher.wait_for_line(Re("a.truncated.selfsigned/A.*broken trust chain"))
+ isctest.check.servfail(res)
projects / thirdparty / bind9.git / commitdiff
