[9.20] [CVE-2025-8677] sec: test: Test that DNSSEC validation is aborted on malformed DNSKEY
Create a signed zone file that contains malformed ZSKs with colliding
key tags. The ZSKs don't represent valid ECDSA keys and will cause a
crypto failure when attempting to use them. Sign the zone with KSK, with
the exception of one record which is "signed" with the invalid ZSKs.
Check that the resolver aborts the DNSSEC verification after
encountering the first crypto failure, indicating malformed DNSKEY.
Closes #5343
Backport of MR !11425
Merge branch 'backport-5343-count-invalid-keys-into-validation-fails-test-9.20' into 'bind-9.20'
projects / thirdparty / bind9.git / commit
