upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 13:49:58 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add a test with an active truncated key

Browse source 
Check that an invalid truncated key is handled correctly.
This commit is contained in:
Evan Hunt 2026-05-03 00:41:58 -07:00 committed by Ondřej Surý
parent bf4cdca7e9
commit a812bc52eb
No known key found for this signature in database
GPG key ID: 2820F37E873DEA41
6 changed files with 60 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
bin/tests/system/dnssec_malformed_dnskey/ns2/named.conf.j2
View file

@ -34,9 +34,14 @@ zone example. {
file "example.db.signed.malformed"; file "example.db.signed.malformed";
}; };
zone truncated.selfsigned. { zone truncated-active.selfsigned. {
type primary; type primary;
file "truncated.selfsigned.db.signed"; file "truncated-active.selfsigned.db.signed";
};
zone truncated-revoked.selfsigned. {
type primary;
file "truncated-revoked.selfsigned.db.signed";
}; };
include "trusted.conf"; include "trusted.conf";

34
bin/tests/system/dnssec_malformed_dnskey/ns2/truncated-active.selfsigned.db.signed Normal file
View file

@ -0,0 +1,34 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
1 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
@ NS @
@ A 10.53.0.2
; The following DNSKEY is too short for the algorithm, but will be
; accepted by the DNSKEY parser code, which only checks for minimum length.
@ DNSKEY 257 3 14 fYA=
@ RRSIG SOA 14 2 86400 20950926153053 20251013153053 33167 @ xxxx5f7U0DiPvKFxpB83mTyqkAO0TfM0 xe4ZMYoJUQEPYdd0GTNkFzI6crsbU0lQ t/V1YOxAt5B+T1ch9n5dhYwt7ZTqluI2 mr6myKMesdPl1zp1hEgkmFpCG3NOXl2Z
@ RRSIG NS 14 2 86400 20950926153053 20251013153053 33167 @ xxxxLBPc05g7v/K5UfGuXsHH8xd29eQb 5qWe+Ei4Qn0GlmH0x/VIJiJMZXuxD5S+ VhP7DiX7uKIxi0QS2DOK1aOMXq/2WiUV 2VBmYAoSUilMlJY84I2XbzqD5iz5y+yp
@ RRSIG A 14 2 86400 20950926153053 20251013153053 33167 @ xxxx6UguMh8jgdVox2UVURjEsAP0D8o2 mFofnFOd6eYf+49QlWD+GX6x60X/hPVi f2XFsajouCvT/ZSmoXKWad3RC1DLHF/H TdOGMKlT4DfvbeJV+N5N0bgu2Wv3QRdM
@ RRSIG DNSKEY 14 2 86400 20950926153053 20251013153053 33167 @ xxxxqayRNsL32Km0c9AjwN0RNktt4iGb 97Dwi0uiHPcM4eVNZR2w68XMUh43+nR1 DA1QE2RqIqt7soEIwi1z4kAczf7W1wrP 7dcbEwjxS9D1CefuNRG1xnj9wGsqKecI
@ NSEC a A NS SOA RRSIG NSEC DNSKEY
@ RRSIG NSEC 14 2 0 20950926153053 20251013153053 33167 @ xxxx4Y6vqeOJHWEeg0T0OY4z7BdDrTkn BY9Yra8zSjFEGZvIX3irPd81+u5xlA0T 9waJO2Y9W42IMrOeKdQt++QXVHsLhOYn 4NAF6RotHSb4cqv1DXI1PSchMaJ5FWwD

0
bin/tests/system/dnssec_malformed_dnskey/ns2/truncated.selfsigned.db.signed → bin/tests/system/dnssec_malformed_dnskey/ns2/truncated-revoked.selfsigned.db.signed
View file

7
bin/tests/system/dnssec_malformed_dnskey/ns2/trusted.conf.j2
View file

@ -14,14 +14,17 @@
trust-anchors { trust-anchors {
example. static-key 257 3 14 "@ksk_public_key@"; example. static-key 257 3 14 "@ksk_public_key@";
truncated-active.selfsigned. static-key 257 3 14 "fYA=";
/* /*
* The key tag in the trust anchor must match that of the revoked * The key tag in the trust anchor must match that of the revoked
* truncated self-signed key in the truncated.selfsigned. zone. * truncated self-signed key in the truncated-revoked.selfsigned.
* zone.
* *
* The DNSKEY contents are intentionally different here, because the * The DNSKEY contents are intentionally different here, because the
* key doesn't have the revoked bit here and that flag is part of the * key doesn't have the revoked bit here and that flag is part of the
* key tag. The following decodes to key tag 33167, which is the same * key tag. The following decodes to key tag 33167, which is the same
* as the revoked truncated key in the zone file. * as the revoked truncated key in the zone file.
*/ */
truncated.selfsigned. static-key 257 3 14 "fYA="; truncated-revoked.selfsigned. static-key 257 3 14 "fYA=";
}; };

7
bin/tests/system/dnssec_malformed_dnskey/ns3/named.conf.j2
View file

@ -31,7 +31,12 @@ zone "example." {
server-addresses { 10.53.0.2; }; server-addresses { 10.53.0.2; };
}; };
zone "truncated.selfsigned." { zone "truncated-active.selfsigned." {
type static-stub;
server-addresses { 10.53.0.2; };
};
zone "truncated-revoked.selfsigned." {
type static-stub; type static-stub;
server-addresses { 10.53.0.2; }; server-addresses { 10.53.0.2; };
}; };

10
bin/tests/system/dnssec_malformed_dnskey/tests_malformed_dnskey.py
View file

@ -189,7 +189,13 @@ def test_multiple_rrsigs(ns3):
isctest.check.servfail(res) isctest.check.servfail(res)
def test_truncated_dnskey(): def test_truncated_active_dnskey():
msg = isctest.query.create("a.truncated.selfsigned.", "A") msg = isctest.query.create("a.truncated-active.selfsigned.", "A")
res = isctest.query.tcp(msg, "10.53.0.3")
isctest.check.servfail(res)
def test_truncated_revoked_dnskey():
msg = isctest.query.create("a.truncated-revoked.selfsigned.", "A")
res = isctest.query.tcp(msg, "10.53.0.3") res = isctest.query.tcp(msg, "10.53.0.3")
isctest.check.servfail(res) isctest.check.servfail(res)