Add stripped DNSKEY RRSIG senario

2026-06-09 07:12:11 -04:00 · 2024-12-20 20:24:05 +11:00 · 2024-12-20 20:24:05 +11:00 · a71b617566
commit a71b617566
parent b694acbe45
7 changed files with 78 additions and 0 deletions
--- a/bin/tests/system/dnssec/ns1/root.db.in
+++ b/bin/tests/system/dnssec/ns1/root.db.in
@ -39,3 +39,5 @@ too-many-iterations.	NS	ns2.too-many-iterations.
 ns2.too-many-iterations.	A	10.53.0.2
 peer-ns-spoof		NS	ns2.peer-ns-spoof.
 ns2.peer-ns-spoof.	A	10.53.0.2
+dnskey-rrsigs-stripped.	NS	ns2.dnskey-rrsigs-stripped.
+ns2.dnskey-rrsigs-stripped.	A	10.53.0.2
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@ -31,6 +31,7 @@ cp "../ns2/dsset-in-addr.arpa." .
 cp "../ns2/dsset-too-many-iterations." .
 cp "../ns2/dsset-lazy-ksk." .
 cp "../ns2/dsset-peer-ns-spoof." .
+cp "../ns2/dsset-dnskey-rrsigs-stripped." .

 grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll."
 cp "../ns6/dsset-optout-tld." .
--- a/bin/tests/system/dnssec/ns2/dnskey-rrsigs-stripped.db.in
+++ b/bin/tests/system/dnssec/ns2/dnskey-rrsigs-stripped.db.in
@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			NS	ns3
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
--- a/bin/tests/system/dnssec/ns2/named.conf.in
+++ b/bin/tests/system/dnssec/ns2/named.conf.in
@ -224,4 +224,9 @@ zone "peer.peer-ns-spoof" {
 	file "peer.peer-ns-spoof.db.signed";
 };

+zone "dnskey-rrsigs-stripped" {
+	type primary;
+	file "dnskey-rrsigs-stripped.db.signed";
+};
+
 include "trusted.conf";
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@ -387,3 +387,20 @@ ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$z
 zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
 "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
+
+#
+# A zone with the DNSKEY RRSIGS stripped
+#
+zone=dnskey-rrsigs-stripped
+infile=dnskey-rrsigs-stripped.db.in
+zonefile=dnskey-rrsigs-stripped.db
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
+"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
+"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \
+  | awk '$4 == "RRSIG" && $5 == "DNSKEY" { next } { print }' >"$zonefile.stripped"
+"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \
+  | awk '$4 == "SOA" { $7 = $7 + 1; print; next } { print }' >"$zonefile.next"
+"$SIGNER" -g -o "$zone" -f "$zonefile.next" "$zonefile.next" >/dev/null 2>&1
+cp "$zonefile.stripped" "$zonefile.signed"
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@ -204,6 +204,29 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))

+echo_i "checking recovery from stripped DNSKEY RRSIG ($n)"
+ret=0
+# prime cache with DNSKEY without RRSIGs
+dig_with_opts +noauth +cd dnskey-rrsigs-stripped. @10.53.0.4 dnskey >dig.out.prime.ns4.test$n || ret=1
+grep ";; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1" dig.out.prime.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1
+grep "RRSIG.DNSKEY" dig.out.prime.ns4.test$n >/dev/null && ret=1
+# reload server with properly signed zone
+cp ns2/dnskey-rrsigs-stripped.db.next ns2/dnskey-rrsigs-stripped.db.signed
+nextpart ns2/named.run >/dev/null
+rndccmd 10.53.0.2 reload dnskey-rrsigs-stripped | sed 's/^/ns2 /' | cat_i
+wait_for_log 5 "zone dnskey-rrsigs-stripped/IN: loaded serial 2000042408" ns2/named.run || ret=1
+# make a query that flushes the unsigned DNSKEY RRset
+dig_with_opts +noauth a.dnskey-rrsigs-stripped. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
+# make a second query that should now validate
+dig_with_opts +noauth b.dnskey-rrsigs-stripped. @10.53.0.2 a >dig.out.ns2.test$n || ret=1
+dig_with_opts +noauth b.dnskey-rrsigs-stripped. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
 echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)"
 ret=0
 grep "query 'example/DS/IN' approved" ns1/named.run >/dev/null && ret=1
--- a/bin/tests/system/dnssec/tests_sh_dnssec.py
+++ b/bin/tests/system/dnssec/tests_sh_dnssec.py
@ -50,6 +50,9 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns2/cds-update.secure.id",
        "ns2/cds-x.secure.db",
        "ns2/cds.secure.db",
+        "ns2/dnskey-rrsigs-stripped.db",
+        "ns2/dnskey-rrsigs-stripped.db.next",
+        "ns2/dnskey-rrsigs-stripped.db.stripped",
        "ns2/example.db",
        "ns2/in-addr.arpa.db",
        "ns2/lazy-ksk.db",