upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-08 21:02:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add a test for non-existence of RRSIG in the unsigned zone

Browse source 
This tests that the result is NOERROR and a single SOA record is
returned.
This commit is contained in:
Ondřej Surý 2025-08-21 09:47:32 +02:00
parent 449245b059
commit bdd59dace8
No known key found for this signature in database
GPG key ID: 2820F37E873DEA41
1 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
bin/tests/system/dnssec/tests_validation.py
View file

@ -82,6 +82,20 @@ def test_load_transfer(qname, qtype):
isctest.check.noerror(res1)
def test_insecure_rrsig():
# check that for a rrsig query against a validating resolver where the
# authoritative zone is unsigned (insecure delegation), noerror is
# returned.
msg = isctest.query.create("a.insecure.example", "RRSIG")
res = isctest.query.tcp(msg, "10.53.0.4")
isctest.check.noerror(res)
isctest.check.rr_count_eq(res.answer, 0)
isctest.check.rr_count_eq(res.authority, 1)
isctest.check.rr_count_eq(res.additional, 0)
assert str(res.authority[0].name) == "insecure.example."
assert res.authority[0].rdtype == rdatatype.SOA
def test_insecure_glue():
# check that for a query against a validating resolver where the
# authoritative zone is unsigned (insecure delegation), glue is returned