git.ipfire.org Git - thirdparty/bind9.git/commit

author	Ondřej Surý <ondrej@sury.org>
	Fri, 29 May 2026 09:32:52 +0000 (11:32 +0200)
committer	Ondřej Surý <ondrej@isc.org>
	Fri, 29 May 2026 20:01:29 +0000 (22:01 +0200)
commit	358c55ffa264baad1d2926c4fcba8b124df64a87
tree	04ab7f237d36d54b433034fee55945d2804921c7	tree \| snapshot
parent	938b58a809eff49e706984cccba1cfc42ed890c3	commit \| diff

Add a system test for CNAME answers to DNSSEC meta-type queries

Two authoritative zones drive the cases. 'example.' answers DNSKEY,
NSEC, NSEC3 and RRSIG queries with a CNAME: a direct recursive query for
one of these must not crash the resolver, and the validator's own DNSKEY
fetch for a signed name must fail as a broken trust chain and return
SERVFAIL promptly.

'secure.' is served faithfully but answers DS queries with an unsigned
CNAME -- the input that drove the validator's insecurity proof into a
self-join. The resolver must return SERVFAIL within a couple of seconds
instead of stalling for twelve.

Assisted-by: Claude:claude-opus-4-8

bin/tests/system/dnssec_cname_response/ans2/ans.py	[new file with mode: 0644]	blob
bin/tests/system/dnssec_cname_response/ans2/example.db.in	[new file with mode: 0644]	blob
bin/tests/system/dnssec_cname_response/ans2/secure.db.in	[new file with mode: 0644]	blob
bin/tests/system/dnssec_cname_response/ns3/named.conf.j2	[new file with mode: 0644]	blob
bin/tests/system/dnssec_cname_response/ns3/trusted.conf.j2	[new file with mode: 0644]	blob
bin/tests/system/dnssec_cname_response/tests_cname_rejection.py	[new file with mode: 0644]	blob