mirror/bind9
1
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9.git synced 2025-12-20 00:55:29 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Update optout test to reconfig to NSEC

Browse Source 
If we change from NSEC3 to NSEC we should not produce a zone with
missing NSEC records.

The code only considered having seen a record if there was previously
a signature present at the owner name. However with opt-out, insecure
delegations don't have a RRSIG record. Reconfiguring to NSEC causes
all insecure delegations to have a missing NSEC record.

Add a DNAME record to the test zone to also cover DNAME delegations.
This commit is contained in:
Matthijs Mekking
2025-12-09 14:12:08 +01:00
parent 17c5537c26
commit 3679bd4888
5 changed files with 83 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
bin/tests/system/optout/ns2/named.conf.j2
View File

@@ -11,6 +11,9 @@
* information regarding copyright ownership. * information regarding copyright ownership.
*/ */
{% set reconfiged = reconfiged | default(False) %}
{% set policy = "optout" if not reconfiged else "nsec" %}
options { options {
port @PORT@; port @PORT@;
pid-file "named.pid"; pid-file "named.pid";
@@ -33,9 +36,22 @@ dnssec-policy "optout" {
nsec3param iterations 0 optout yes salt-length 0; nsec3param iterations 0 optout yes salt-length 0;
}; };
dnssec-policy "nsec" {
keys {
csk lifetime unlimited algorithm ecdsa256;
};
};
zone "test" { zone "test" {
type primary; type primary;
file "test.db"; file "test.db";
dnssec-policy "optout"; dnssec-policy "optout";
inline-signing yes; inline-signing yes;
}; };
zone "small.test" {
type primary;
file "small.test.db";
dnssec-policy "@policy@";
inline-signing yes;
};

25
bin/tests/system/optout/ns2/small.test.db Normal file
View File

@@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
@ IN SOA ns2.small.test. hostmaster.small.test. 1 7200 3600 24796800 3600
IN NS ns2
ns2 IN A 10.53.0.2
a IN A 127.0.0.1
dname IN DNAME branch.example.
under.dname IN TXT "occluded"
$GENERATE 1-10 child$ IN NS ns.example.
child5 IN DS 7250 13 2 A30B3F78B6DDE9A4A9A2AD0C805518B4F49EC62E7D3F4531D33DE697 CDA01CB2

3
bin/tests/system/optout/ns2/test.db
View File

@@ -17,6 +17,9 @@ ns2 IN A 10.53.0.2
a IN A 127.0.0.1 a IN A 127.0.0.1
dname IN DNAME branch.example.
under.dname IN TXT "occluded"
$GENERATE 1-50000 child$ IN NS ns.example. $GENERATE 1-50000 child$ IN NS ns.example.
child303 IN DS 7250 13 2 A30B3F78B6DDE9A4A9A2AD0C805518B4F49EC62E7D3F4531D33DE697 CDA01CB2 child303 IN DS 7250 13 2 A30B3F78B6DDE9A4A9A2AD0C805518B4F49EC62E7D3F4531D33DE697 CDA01CB2

14
bin/tests/system/optout/setup.sh
View File

@@ -1,14 +0,0 @@
#!/bin/sh -e
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
. ../conf.sh

41
bin/tests/system/optout/tests_optout.py
View File

@@ -94,14 +94,51 @@ def verify_zone(zone, transfer):
def test_optout(ns2): def test_optout(ns2):
zone = "test" zone = "test"
expect_nsec3param = True
# Wait until the provided zone is signed and then verify its DNSSEC data. # Wait until the provided zone is signed and then verify its DNSSEC data.
def check_nsec3param(): def check_nsec3param():
response = do_query(ns2, zone, "NSEC3PARAM") response = do_query(ns2, zone, "NSEC3PARAM")
return has_nsec3param(zone, response) if expect_nsec3param:
return has_nsec3param(zone, response)
return not has_nsec3param(zone, response)
# check zone is fully signed. # check zone is fully signed.
isctest.run.retry_with_timeout(check_nsec3param, timeout=300) isctest.run.retry_with_timeout(check_nsec3param, timeout=100)
# check if zone if DNSSEC valid.
transfer = do_xfr(ns2, zone)
assert verify_zone(zone, transfer)
def test_optout_to_nsec(ns2, templates):
zone = "small.test"
expect_nsec3param = True
# Wait until the provided zone is signed and then verify its DNSSEC data.
def check_nsec3param():
response = do_query(ns2, zone, "NSEC3PARAM")
if expect_nsec3param:
return has_nsec3param(zone, response)
return not has_nsec3param(zone, response)
# check zone is fully signed.
isctest.run.retry_with_timeout(check_nsec3param, timeout=100)
# check if zone if DNSSEC valid.
transfer = do_xfr(ns2, zone)
assert verify_zone(zone, transfer)
# reconfigure to NSEC.
data = {
"reconfiged": True,
}
templates.render(f"{ns2.identifier}/named.conf", data)
ns2.reconfigure()
# wait until NSEC3PARAM is removed.
expect_nsec3param = False
isctest.run.retry_with_timeout(check_nsec3param, timeout=100)
# check if zone if DNSSEC valid. # check if zone if DNSSEC valid.
transfer = do_xfr(ns2, zone) transfer = do_xfr(ns2, zone)