From 10e272d3fcd083fc7dd3a81ef71ecdc424fb0ab8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Tue, 9 Jun 2026 09:44:28 +0000 Subject: [PATCH] Add active truncated DNSKEY test to dnssec_py Forward-port active truncated DNSKEY test from a812bc52 which has only been merged to the stable branches. Assisted-by: Claude:claude-opus-4-8 --- .../truncated-active.selfsigned.db.signed.j2 | 25 +++++++++++++ ...truncated-revoked.selfsigned.db.signed.j2} | 0 .../tests_dnskey_truncated_selfsigned.py | 35 ++++++++++++++----- 3 files changed, 52 insertions(+), 8 deletions(-) create mode 100644 bin/tests/system/dnssec_py/ns2/zones/truncated-active.selfsigned.db.signed.j2 rename bin/tests/system/dnssec_py/ns2/zones/{truncated.selfsigned.db.signed.j2 => truncated-revoked.selfsigned.db.signed.j2} (100%) diff --git a/bin/tests/system/dnssec_py/ns2/zones/truncated-active.selfsigned.db.signed.j2 b/bin/tests/system/dnssec_py/ns2/zones/truncated-active.selfsigned.db.signed.j2 new file mode 100644 index 0000000000..8043b2c5d1 --- /dev/null +++ b/bin/tests/system/dnssec_py/ns2/zones/truncated-active.selfsigned.db.signed.j2 @@ -0,0 +1,25 @@ +{% raw %} +$TTL 300 + +@ IN SOA mname1. . ( + 1 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) + +@ NS @ +@ A 10.53.0.2 + +; The following DNSKEY is too short for the algorithm, but will be +; accepted by the DNSKEY parser code, which only checks for minimum length. +@ DNSKEY 257 3 14 fYA= + +@ RRSIG SOA 14 2 86400 20950926153053 20251013153053 33167 @ xxxx5f7U0DiPvKFxpB83mTyqkAO0TfM0 xe4ZMYoJUQEPYdd0GTNkFzI6crsbU0lQ t/V1YOxAt5B+T1ch9n5dhYwt7ZTqluI2 mr6myKMesdPl1zp1hEgkmFpCG3NOXl2Z +@ RRSIG NS 14 2 86400 20950926153053 20251013153053 33167 @ xxxxLBPc05g7v/K5UfGuXsHH8xd29eQb 5qWe+Ei4Qn0GlmH0x/VIJiJMZXuxD5S+ VhP7DiX7uKIxi0QS2DOK1aOMXq/2WiUV 2VBmYAoSUilMlJY84I2XbzqD5iz5y+yp +@ RRSIG A 14 2 86400 20950926153053 20251013153053 33167 @ xxxx6UguMh8jgdVox2UVURjEsAP0D8o2 mFofnFOd6eYf+49QlWD+GX6x60X/hPVi f2XFsajouCvT/ZSmoXKWad3RC1DLHF/H TdOGMKlT4DfvbeJV+N5N0bgu2Wv3QRdM +@ RRSIG DNSKEY 14 2 86400 20950926153053 20251013153053 33167 @ xxxxqayRNsL32Km0c9AjwN0RNktt4iGb 97Dwi0uiHPcM4eVNZR2w68XMUh43+nR1 DA1QE2RqIqt7soEIwi1z4kAczf7W1wrP 7dcbEwjxS9D1CefuNRG1xnj9wGsqKecI +@ NSEC a A NS SOA RRSIG NSEC DNSKEY +@ RRSIG NSEC 14 2 0 20950926153053 20251013153053 33167 @ xxxx4Y6vqeOJHWEeg0T0OY4z7BdDrTkn BY9Yra8zSjFEGZvIX3irPd81+u5xlA0T 9waJO2Y9W42IMrOeKdQt++QXVHsLhOYn 4NAF6RotHSb4cqv1DXI1PSchMaJ5FWwD +{% endraw %} diff --git a/bin/tests/system/dnssec_py/ns2/zones/truncated.selfsigned.db.signed.j2 b/bin/tests/system/dnssec_py/ns2/zones/truncated-revoked.selfsigned.db.signed.j2 similarity index 100% rename from bin/tests/system/dnssec_py/ns2/zones/truncated.selfsigned.db.signed.j2 rename to bin/tests/system/dnssec_py/ns2/zones/truncated-revoked.selfsigned.db.signed.j2 diff --git a/bin/tests/system/dnssec_py/tests_dnskey_truncated_selfsigned.py b/bin/tests/system/dnssec_py/tests_dnskey_truncated_selfsigned.py index fa6ceea85f..706ada4586 100644 --- a/bin/tests/system/dnssec_py/tests_dnskey_truncated_selfsigned.py +++ b/bin/tests/system/dnssec_py/tests_dnskey_truncated_selfsigned.py @@ -21,25 +21,44 @@ pytestmark = DNSSEC_PY_MARK def bootstrap(): - zone = Zone("truncated.selfsigned", NS2, signed=True) + revoked_zone = Zone("truncated-revoked.selfsigned", NS2, signed=True) + active_zone = Zone("truncated-active.selfsigned", NS2, signed=True) - root = configure_root([zone], signed=False) # just delegation, TA is added directly + # just delegation, the trust anchors are added directly + root = configure_root([revoked_zone, active_zone], signed=False) # The trust anchor key tag must match the revoked truncated self-signed key # in the zone (key tag 33167). The flags differ here (257 vs 385) because # the revoked bit is not part of the trust anchor, but it is part of the key # tag calculation. - zone_ta = TrustAnchor("truncated.selfsigned", "static-key", '257 3 14 "fYA="') + revoked_ta = TrustAnchor( + "truncated-revoked.selfsigned", "static-key", '257 3 14 "fYA="' + ) + + # The active truncated key is too short for the ECDSA curve but passes the + # parser's minimum-length check; trusting it directly exercises the + # key-construction failure path. + active_ta = TrustAnchor( + "truncated-active.selfsigned", "static-key", '257 3 14 "fYA="' + ) return { - "trust_anchors": [zone_ta], - "zones": zones([root, zone]), + "trust_anchors": [revoked_ta, active_ta], + "zones": zones([root, revoked_zone, active_zone]), } -def test_truncated_dnskey(ns9): - msg = isctest.query.create("a.truncated.selfsigned.", "A") +def test_truncated_revoked_dnskey(ns9): + msg = isctest.query.create("a.truncated-revoked.selfsigned.", "A") with ns9.watch_log_from_here() as watcher: res = isctest.query.tcp(msg, ns9.ip) - watcher.wait_for_line(Re("a.truncated.selfsigned/A.*broken trust chain")) + watcher.wait_for_line( + Re("a.truncated-revoked.selfsigned/A.*broken trust chain") + ) + isctest.check.servfail(res) + + +def test_truncated_active_dnskey(ns9): + msg = isctest.query.create("a.truncated-active.selfsigned.", "A") + res = isctest.query.tcp(msg, ns9.ip) isctest.check.servfail(res)