Add a system test with one good and one bad algorithm

The case where there would be one supported algorithm and one already unsupported (like RSAMD5 or RSASHA1) was missing. (cherry picked from commit488d7bfc75f2988c6e461b8677bc0e27e58bd82e)
2026-06-10 16:40:00 -04:00 · 2025-11-01 12:00:59 +01:00 · 2025-11-01 12:00:59 +01:00 · 5241c1b09b
commit 5241c1b09b
parent 6098fd6abf
7 changed files with 82 additions and 1 deletions
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@ -180,4 +180,8 @@ ns.rsasha1		A	10.53.0.3
 rsasha1-1024		NS	ns.rsasha1-1024
 ns.rsasha1-1024		A	10.53.0.3

+; A secure subdomain with extra bad key
+extrabadkey		NS	ns3.extrabadkey
+ns3.extrabadkey		A	10.53.0.3
+
 dname-at-apex-nsec3	NS	ns3
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@ -63,7 +63,8 @@ for subdomain in digest-alg-unsupported ds-unsupported secure badds \
  ttlpatch split-dnssec split-smart expired expiring upper lower \
  dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
  dnskey-nsec3-unknown managed-future future revkey \
-  dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024; do
+  dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 \
+  extrabadkey; do
  cp "../ns3/dsset-$subdomain.example." .
 done

--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@ -133,6 +133,12 @@ zone "insecure2.example" {
 	allow-update { any; };
 };

+zone "extrabadkey.example" {
+	type primary;
+	file "extrabadkey.example.db.signed";
+	allow-update { any; };
+};
+
 zone "insecure.nsec3.example" {
 	type primary;
 	file "insecure.nsec3.example.db";
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@ -726,3 +726,34 @@ zone=rsasha1-1024.example
 zonefile=rsasha1-1024.example.db
 awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \
  | $DSFROMKEY -f - "$zone" >"dsset-${zone}."
+
+#
+#
+#
+zone=extrabadkey.example.
+infile=template.db.in
+zonefile=extrabadkey.example.db
+
+# Add KSK and ZSK that we will mangle to RSAMD5
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
+"$SIGNER" -g -O full -o "$zone" "$zonefile" >/dev/null 2>&1
+
+# Mangle the signatures to RSAMD5 and save them for future use
+sed -ne "s/\(IN[[:space:]]*RRSIG[[:space:]]*[A-Z]*\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /p" <"$zonefile.signed" >"$zonefile.signed.rsamd5"
+
+# Now add normal KSK and ZSK to the zone file
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
+
+# Mangle the DNSKEY algorithm numbers and add them to the signed zone file
+cat "$ksk.key" "$zsk.key" | sed -e "s/\(IN[[:space:]]*DNSKEY[[:space:]]*[0-9]* 3\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /" >>"$zonefile"
+
+# Sign normally
+"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
+
+# Add the mangled signatures to signed zone file
+cat "$zonefile.signed.rsamd5" >>"$zonefile.signed"
+rm "$zonefile.signed.rsamd5"
--- a/bin/tests/system/dnssec/ns3/template.db.in
+++ b/bin/tests/system/dnssec/ns3/template.db.in
@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+a.b			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@ -4797,5 +4797,16 @@ n=$((n + 1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+echo_i "checking extra-bad-algorithm positive validation ($n)"
+ret=0
+dig_with_opts +noauth a.extrabadkey.example. @10.53.0.3 A >dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.extrabadkey.example. @10.53.0.4 A >dig.out.ns4.test$n || ret=1
+digcomp --lc dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
--- a/bin/tests/system/dnssec/tests_sh_dnssec.py
+++ b/bin/tests/system/dnssec/tests_sh_dnssec.py
@ -100,6 +100,7 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns3/example.bk",
        "ns3/expired.example.db",
        "ns3/expiring.example.db",
+        "ns3/extrabadkey.example.db",
        "ns3/future.example.db",
        "ns3/keyless.example.db",
        "ns3/kskonly.example.db",