The test setup for the checkds tests.
These servers are parent servers:
+- ns1 is the root server.
+
- ns2 is a primary authoritative server that serves the parent zone for zones
configured in ns9.
-- ns3 is a resolver that can be configured as a parental agent.
- ns4 is the secondary server for ns2.
+- ns8 is the secondary server for ns2 that is not part of the NS RRset,
+ used for testing explicit parental-agents.
+
- ns5 is a primary authoritative server that serves the parent zone for zones
configured in ns9, but this one does not publish DS records (to test cases
- where the DS is missing).
+ where the DS is missing and the DS needs to be withdrawn).
+- ns7 is the secondary server for ns5.
+- ns10 is the secondary server for ns5 that is not part of the NS RRset,
+ used for testing explicit parental-agents.
+
- ns6 is an authoritative server for a different zone, to test badly configured
parental agents.
-- ns7 is the secondary server for ns5.
-Finally, ns9 is the authoritative server for the various DNSSEC enabled test
-domains.
+- ns3 is a resolver that can be configured as a parental agent.
+
+- Finally, ns9 is the authoritative server for the various DNSSEC enabled test
+ domains.
We need multiple test cases for testing the "checkds" functionality. Basically,
the behavior of "checkds" is of importance in three cases:
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS10
+
+options {
+ query-source address 10.53.0.10;
+ notify-source 10.53.0.10;
+ transfer-source 10.53.0.10;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.10; };
+ listen-on-v6 { none; };
+ allow-transfer { any; };
+ recursion no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "ns2" {
+ type secondary;
+ primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; };
+ file "ns2.db";
+};
+
+zone "ns2-4" {
+ type secondary;
+ primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; };
+ file "ns2-4.db";
+};
+
+zone "ns2-4-5" {
+ type secondary;
+ primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; };
+ file "ns2-4-5.db";
+};
+
+zone "ns2-4-6" {
+ type secondary;
+ primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; };
+ file "ns2-4-6.db";
+};
+
+zone "ns2-5-7" {
+ type secondary;
+ primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; };
+ file "ns2-5-7.db";
+};
+
+zone "ns5" {
+ type secondary;
+ primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; };
+ file "ns5.db";
+};
+
+zone "ns5-6-7" {
+ type secondary;
+ primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; };
+ file "ns5-6-7.db";
+};
+
+zone "ns5-7" {
+ type secondary;
+ primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; };
+ file "ns5-7.db";
+};
+
+zone "ns6" {
+ type secondary;
+ primaries source 10.53.0.10 { 10.53.0.5 port @PORT@; };
+ file "ns6.db";
+};
zone "ns2" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.2; 10.53.0.4; };
- also-notify { 10.53.0.4; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; };
+ also-notify { 10.53.0.4; 10.53.0.8; };
dnssec-policy default;
file "ns2.db";
};
zone "ns2-4" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.2; 10.53.0.4; };
- also-notify { 10.53.0.4; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; };
+ also-notify { 10.53.0.4; 10.53.0.8; };
dnssec-policy default;
file "ns2-4.db";
};
zone "ns2-4-5" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.2; 10.53.0.4; };
- also-notify { 10.53.0.4; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; };
+ also-notify { 10.53.0.4; 10.53.0.8; };
dnssec-policy default;
file "ns2-4-5.db";
};
zone "ns2-4-6" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.2; 10.53.0.4; };
- also-notify { 10.53.0.4; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; };
+ also-notify { 10.53.0.4; 10.53.0.8; };
dnssec-policy default;
file "ns2-4-6.db";
};
zone "ns2-5-7" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.2; 10.53.0.4; };
- also-notify { 10.53.0.4; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; };
+ also-notify { 10.53.0.4; 10.53.0.8; };
dnssec-policy default;
file "ns2-5-7.db";
};
zone "ns5" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.2; 10.53.0.4; };
- also-notify { 10.53.0.4; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; };
+ also-notify { 10.53.0.4; 10.53.0.8; };
dnssec-policy default;
file "ns5.db";
};
zone "ns5-6-7" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.2; 10.53.0.4; };
- also-notify { 10.53.0.4; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; };
+ also-notify { 10.53.0.4; 10.53.0.8; };
dnssec-policy default;
file "ns5-6-7.db";
};
zone "ns5-7" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.2; 10.53.0.4; };
- also-notify { 10.53.0.4; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; };
+ also-notify { 10.53.0.4; 10.53.0.8; };
dnssec-policy default;
file "ns5-7.db";
};
zone "ns6" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.2; 10.53.0.4; };
- also-notify { 10.53.0.4; };
+ allow-transfer { 10.53.0.2; 10.53.0.4; 10.53.0.8; };
+ also-notify { 10.53.0.4; 10.53.0.8; };
dnssec-policy default;
file "ns6.db";
};
zone "ns2" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.5; 10.53.0.7; };
- also-notify { 10.53.0.7; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; };
+ also-notify { 10.53.0.7; 10.53.0.10; };
dnssec-policy default;
file "ns2.db";
};
zone "ns2-4" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.5; 10.53.0.7; };
- also-notify { 10.53.0.7; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; };
+ also-notify { 10.53.0.7; 10.53.0.10; };
dnssec-policy default;
file "ns2-4.db";
};
zone "ns2-4-5" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.5; 10.53.0.7; };
- also-notify { 10.53.0.7; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; };
+ also-notify { 10.53.0.7; 10.53.0.10; };
dnssec-policy default;
file "ns2-4-5.db";
};
zone "ns2-4-6" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.5; 10.53.0.7; };
- also-notify { 10.53.0.7; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; };
+ also-notify { 10.53.0.7; 10.53.0.10; };
dnssec-policy default;
file "ns2-4-6.db";
};
zone "ns2-5-7" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.5; 10.53.0.7; };
- also-notify { 10.53.0.7; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; };
+ also-notify { 10.53.0.7; 10.53.0.10; };
dnssec-policy default;
file "ns2-5-7.db";
};
zone "ns5" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.5; 10.53.0.7; };
- also-notify { 10.53.0.7; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; };
+ also-notify { 10.53.0.7; 10.53.0.10; };
dnssec-policy default;
file "ns5.db";
};
zone "ns5-6-7" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.5; 10.53.0.7; };
- also-notify { 10.53.0.7; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; };
+ also-notify { 10.53.0.7; 10.53.0.10; };
dnssec-policy default;
file "ns5-6-7.db";
};
zone "ns5-7" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.5; 10.53.0.7; };
- also-notify { 10.53.0.7; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; };
+ also-notify { 10.53.0.7; 10.53.0.10; };
dnssec-policy default;
file "ns5-7.db";
};
zone "ns6" {
type primary;
allow-update { any; };
- allow-transfer { 10.53.0.5; 10.53.0.7; };
- also-notify { 10.53.0.7; };
+ allow-transfer { 10.53.0.5; 10.53.0.7; 10.53.0.10; };
+ also-notify { 10.53.0.7; 10.53.0.10; };
dnssec-policy default;
file "ns6.db";
};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS8
+
+options {
+ query-source address 10.53.0.8;
+ notify-source 10.53.0.8;
+ transfer-source 10.53.0.8;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.8; };
+ listen-on-v6 { none; };
+ allow-transfer { any; };
+ recursion no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "ns2" {
+ type secondary;
+ primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; };
+ file "ns2.db";
+};
+
+zone "ns2-4" {
+ type secondary;
+ primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; };
+ file "ns2-4.db";
+};
+
+zone "ns2-4-5" {
+ type secondary;
+ primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; };
+ file "ns2-4-5.db";
+};
+
+zone "ns2-4-6" {
+ type secondary;
+ primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; };
+ file "ns2-4-6.db";
+};
+
+zone "ns2-5-7" {
+ type secondary;
+ primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; };
+ file "ns2-5-7.db";
+};
+
+zone "ns5" {
+ type secondary;
+ primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; };
+ file "ns5.db";
+};
+
+zone "ns5-6-7" {
+ type secondary;
+ primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; };
+ file "ns5-6-7.db";
+};
+
+zone "ns5-7" {
+ type secondary;
+ primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; };
+ file "ns5-7.db";
+};
+
+zone "ns6" {
+ type secondary;
+ primaries source 10.53.0.8 { 10.53.0.2 port @PORT@; };
+ file "ns6.db";
+};
inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
-parental-agents "ns2" port @PORT@ {
- 10.53.0.2;
+parental-agents "ns8" port @PORT@ {
+ 10.53.0.8;
};
zone "." {
file "good.explicit.dspublish.ns2.db";
inline-signing yes;
dnssec-policy "default";
- parental-agents { 10.53.0.2 port @PORT@; };
+ parental-agents { 10.53.0.8 port @PORT@; };
+ checkds explicit;
};
/* Same as above, but now with a reference to parental-agents. */
file "reference.explicit.dspublish.ns2.db";
inline-signing yes;
dnssec-policy "default";
- parental-agents { "ns2"; };
+ parental-agents { "ns8"; };
+ checkds explicit;
};
/* Same as above, but now with resolver parental agent configured. */
parental-agents {
10.53.0.3 port @PORT@;
};
+ checkds explicit;
};
/* Same as above, but now with auto parental agents. */
parental-agents {
10.53.0.5 port @PORT@; // missing
};
+ checkds explicit;
};
zone "not-yet.yes.dspublish.ns5" {
parental-agents {
10.53.0.6 port @PORT@; // bad
};
+ checkds explicit;
};
zone "bad.yes.dspublish.ns6" {
inline-signing yes;
dnssec-policy "default";
parental-agents {
- 10.53.0.2 port @PORT@;
+ 10.53.0.8 port @PORT@;
10.53.0.4 port @PORT@;
};
+ checkds explicit;
};
zone "good.yes.dspublish.ns2-4" {
inline-signing yes;
dnssec-policy "default";
parental-agents {
- 10.53.0.2 port @PORT@;
+ 10.53.0.8 port @PORT@;
10.53.0.4 port @PORT@;
10.53.0.5 port @PORT@; // missing
};
+ checkds explicit;
};
zone "incomplete.yes.dspublish.ns2-4-5" {
inline-signing yes;
dnssec-policy "default";
parental-agents {
- 10.53.0.2 port @PORT@;
+ 10.53.0.8 port @PORT@;
10.53.0.4 port @PORT@;
10.53.0.6 port @PORT@; // bad
};
+ checkds explicit;
};
zone "bad.yes.dspublish.ns2-4-6" {
file "good.explicit.dsremoved.ns5.db";
inline-signing yes;
dnssec-policy "insecure";
- parental-agents { 10.53.0.5 port @PORT@; };
+ parental-agents { 10.53.0.10 port @PORT@; };
+ checkds explicit;
};
zone "resolver.explicit.dsremoved.ns5" {
parental-agents {
10.53.0.3 port @PORT@;
};
+ checkds explicit;
};
zone "good.yes.dsremoved.ns5" {
parental-agents {
10.53.0.2 port @PORT@; // still published
};
+ checkds explicit;
};
zone "still-there.yes.dsremoved.ns2" {
parental-agents {
10.53.0.6 port @PORT@; // bad
};
+ checkds explicit;
};
zone "bad.yes.dsremoved.ns6" {
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
- 10.53.0.5 port @PORT@;
+ 10.53.0.10 port @PORT@;
10.53.0.7 port @PORT@;
};
+ checkds explicit;
};
zone "good.yes.dsremoved.ns5-7" {
dnssec-policy "insecure";
parental-agents {
10.53.0.2 port @PORT@; // still published
- 10.53.0.5 port @PORT@;
+ 10.53.0.10 port @PORT@;
10.53.0.7 port @PORT@;
};
+ checkds explicit;
};
zone "incomplete.yes.dsremoved.ns2-5-7" {
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
- 10.53.0.5 port @PORT@;
+ 10.53.0.10 port @PORT@;
10.53.0.7 port @PORT@;
10.53.0.6 port @PORT@; // bad
};
+ checkds explicit;
};
zone "bad.yes.dsremoved.ns5-6-7" {
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
copy_setports ns9/named.conf.in ns9/named.conf
+copy_setports ns10/named.conf.in ns10/named.conf
# Setup zones
(
assert found
-def checkds_dspublished(named_port, checkds):
+def checkds_dspublished(named_port, checkds, addr):
# We create resolver instances that will be used to send queries.
server = dns.resolver.Resolver()
server.nameservers = ["10.53.0.9"]
wait_for_log(
"ns9/named.run",
"zone good.{}.dspublish.ns2/IN (signed): checkds: "
- "DS response from 10.53.0.2".format(checkds),
+ "DS response from {}".format(checkds, addr),
)
keystate_check(parent, "good.{}.dspublish.ns2.".format(checkds), "DSPublish")
wait_for_log(
"ns9/named.run",
"zone good.{}.dspublish.ns2-4/IN (signed): checkds: "
- "DS response from 10.53.0.2".format(checkds),
+ "DS response from {}".format(checkds, addr),
)
wait_for_log(
"ns9/named.run",
wait_for_log(
"ns9/named.run",
"zone incomplete.{}.dspublish.ns2-4-5/IN (signed): checkds: "
- "DS response from 10.53.0.2".format(checkds),
+ "DS response from {}".format(checkds, addr),
)
wait_for_log(
"ns9/named.run",
wait_for_log(
"ns9/named.run",
"zone bad.{}.dspublish.ns2-4-6/IN (signed): checkds: "
- "DS response from 10.53.0.2".format(checkds),
+ "DS response from {}".format(checkds, addr),
)
wait_for_log(
"ns9/named.run",
# TBD: Check with TLS
-def checkds_dswithdrawn(named_port, checkds):
+def checkds_dswithdrawn(named_port, checkds, addr):
# We create resolver instances that will be used to send queries.
server = dns.resolver.Resolver()
server.nameservers = ["10.53.0.9"]
wait_for_log(
"ns9/named.run",
"zone good.{}.dsremoved.ns5/IN (signed): checkds: "
- "empty DS response from 10.53.0.5".format(checkds),
+ "empty DS response from {}".format(checkds, addr),
)
keystate_check(parent, "good.{}.dsremoved.ns5.".format(checkds), "DSRemoved")
wait_for_log(
"ns9/named.run",
"zone good.{}.dsremoved.ns5-7/IN (signed): checkds: "
- "empty DS response from 10.53.0.5".format(checkds),
+ "empty DS response from {}".format(checkds, addr),
)
wait_for_log(
"ns9/named.run",
wait_for_log(
"ns9/named.run",
"zone incomplete.{}.dsremoved.ns2-5-7/IN (signed): checkds: "
- "empty DS response from 10.53.0.5".format(checkds),
+ "empty DS response from {}".format(checkds, addr),
)
wait_for_log(
"ns9/named.run",
wait_for_log(
"ns9/named.run",
"zone bad.{}.dsremoved.ns5-6-7/IN (signed): checkds: "
- "empty DS response from 10.53.0.5".format(checkds),
+ "empty DS response from {}".format(checkds, addr),
)
wait_for_log(
"ns9/named.run",
wait_for_log(
"ns9/named.run",
"zone reference.explicit.dspublish.ns2/IN (signed): "
- "checkds: DS response from 10.53.0.2",
+ "checkds: DS response from 10.53.0.8",
)
keystate_check(parent, "reference.explicit.dspublish.ns2.", "DSPublish")
def test_checkds_dspublished(named_port):
- checkds_dspublished(named_port, "explicit")
- checkds_dspublished(named_port, "yes")
+ checkds_dspublished(named_port, "explicit", "10.53.0.8")
+ checkds_dspublished(named_port, "yes", "10.53.0.2")
def test_checkds_dswithdrawn(named_port):
- checkds_dswithdrawn(named_port, "explicit")
- checkds_dswithdrawn(named_port, "yes")
+ checkds_dswithdrawn(named_port, "explicit", "10.53.0.10")
+ checkds_dswithdrawn(named_port, "yes", "10.53.0.5")
def test_checkds_no(named_port):
projects / thirdparty / bind9.git / commitdiff
