From ea9d7080cd4606d652414eaad7fbb331306c7862 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 17 Jan 2025 19:32:28 +1100 Subject: [PATCH 1/3] Validate address lookups from ADB The address lookups from ADB were not being validated, allowing spoofed responses to be accepted and used for other lookups. Validate the answers except when CD=1 is set in the triggering request. Separate ADB names looked up with CD=1 from those without CD=1, to prevent the use of unvalidated answers in the normal lookup case (CD=0). Set the TTL on unvalidated (pending) responses to ADB_CACHE_MINIMUM when adding them to the ADB. --- lib/dns/adb.c | 41 ++++++++++++++++++++++++++------------- lib/dns/include/dns/adb.h | 1 + lib/dns/resolver.c | 7 +++++++ 3 files changed, 36 insertions(+), 13 deletions(-) diff --git a/lib/dns/adb.c b/lib/dns/adb.c index 07b757308a..f4fa79166e 100644 --- a/lib/dns/adb.c +++ b/lib/dns/adb.c @@ -332,7 +332,7 @@ expire_entry(dns_adbentry_t *adbentry); static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t, dns_rdatatype_t); static isc_result_t -fetch_name(dns_adbname_t *, bool, unsigned int, isc_counter_t *qc, +fetch_name(dns_adbname_t *, bool, bool, unsigned int, isc_counter_t *qc, isc_counter_t *gqc, dns_rdatatype_t); static void destroy(dns_adb_t *); @@ -410,10 +410,13 @@ enum { #define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0) #define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0) #define FIND_STATICSTUB(fn) (((fn)->options & DNS_ADBFIND_STATICSTUB) != 0) +#define FIND_NOVALIDATE(fn) (((fn)->options & DNS_ADBFIND_NOVALIDATE) != 0) #define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) #define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0) -#define ADBNAME_FLAGS_MASK (DNS_ADBFIND_STARTATZONE | DNS_ADBFIND_STATICSTUB) +#define ADBNAME_FLAGS_MASK \ + (DNS_ADBFIND_STARTATZONE | DNS_ADBFIND_STATICSTUB | \ + DNS_ADBFIND_NOVALIDATE) /* * These are currently used on simple unsigned ints, so they are @@ -555,6 +558,8 @@ import_rdataset(dns_adbname_t *adbname, dns_rdataset_t *rdataset, switch (rdataset->trust) { case dns_trust_glue: case dns_trust_additional: + case dns_trust_pending_answer: + case dns_trust_pending_additional: rdataset->ttl = ADB_CACHE_MINIMUM; break; case dns_trust_ultimate: @@ -2118,6 +2123,8 @@ fetch: if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) && !FIND_NOFETCH(find)) { + bool no_validate = FIND_NOVALIDATE(find); + /* * We're missing at least one address family. Either the * caller hasn't instructed us to avoid fetches, or we don't @@ -2133,8 +2140,8 @@ fetch: * Start V4. */ if (WANT_INET(wanted_fetches) && - fetch_name(adbname, start_at_zone, depth, qc, gqc, - dns_rdatatype_a) == ISC_R_SUCCESS) + fetch_name(adbname, start_at_zone, no_validate, depth, qc, + gqc, dns_rdatatype_a) == ISC_R_SUCCESS) { DP(DEF_LEVEL, "dns_adb_createfind: " @@ -2146,8 +2153,8 @@ fetch: * Start V6. */ if (WANT_INET6(wanted_fetches) && - fetch_name(adbname, start_at_zone, depth, qc, gqc, - dns_rdatatype_aaaa) == ISC_R_SUCCESS) + fetch_name(adbname, start_at_zone, no_validate, depth, qc, + gqc, dns_rdatatype_aaaa) == ISC_R_SUCCESS) { DP(DEF_LEVEL, "dns_adb_createfind: " @@ -2951,8 +2958,9 @@ out: } static isc_result_t -fetch_name(dns_adbname_t *adbname, bool start_at_zone, unsigned int depth, - isc_counter_t *qc, isc_counter_t *gqc, dns_rdatatype_t type) { +fetch_name(dns_adbname_t *adbname, bool start_at_zone, bool no_validation, + unsigned int depth, isc_counter_t *qc, isc_counter_t *gqc, + dns_rdatatype_t type) { isc_result_t result; dns_adbfetch_t *fetch = NULL; dns_adb_t *adb = NULL; @@ -2960,7 +2968,7 @@ fetch_name(dns_adbname_t *adbname, bool start_at_zone, unsigned int depth, dns_name_t *name = NULL; dns_rdataset_t rdataset; dns_rdataset_t *nameservers = NULL; - unsigned int options; + unsigned int options = no_validation ? DNS_FETCHOPT_NOVALIDATE : 0; REQUIRE(DNS_ADBNAME_VALID(adbname)); @@ -2975,8 +2983,6 @@ fetch_name(dns_adbname_t *adbname, bool start_at_zone, unsigned int depth, dns_rdataset_init(&rdataset); - options = DNS_FETCHOPT_NOVALIDATE; - if (start_at_zone) { DP(ENTER_LEVEL, "fetch_name: starting at zone for name %p", adbname); @@ -3411,6 +3417,7 @@ dns_adb_flushname(dns_adb_t *adb, const dns_name_t *name) { isc_result_t result; bool start_at_zone = false; bool static_stub = false; + bool novalidate = false; dns_adbname_t key = { .name = UNCONST(name) }; REQUIRE(DNS_ADB_VALID(adb)); @@ -3424,10 +3431,12 @@ dns_adb_flushname(dns_adb_t *adb, const dns_name_t *name) { again: /* * Delete all entries - with and without DNS_ADBFIND_STARTATZONE set - * and with and without DNS_ADBFIND_STATICSTUB set. + * with and without DNS_ADBFIND_STATICSTUB set and with and without + * DNS_ADBFIND_NOVALIDATE set. */ key.flags = ((static_stub) ? DNS_ADBFIND_STATICSTUB : 0) | - ((start_at_zone) ? DNS_ADBFIND_STARTATZONE : 0); + ((start_at_zone) ? DNS_ADBFIND_STARTATZONE : 0) | + ((novalidate) ? DNS_ADBFIND_NOVALIDATE : 0); result = isc_hashmap_find(adb->names, hash_adbname(&key), match_adbname, (void *)&key, (void **)&adbname); @@ -3448,6 +3457,12 @@ again: static_stub = true; goto again; } + if (!novalidate) { + start_at_zone = false; + static_stub = false; + novalidate = true; + goto again; + } RWUNLOCK(&adb->names_lock, isc_rwlocktype_write); } diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h index 4cb4e9eae8..3588df344f 100644 --- a/lib/dns/include/dns/adb.h +++ b/lib/dns/include/dns/adb.h @@ -193,6 +193,7 @@ struct dns_adbfind { * Only look for glue record for static stub. */ #define DNS_ADBFIND_STATICSTUB 0x00001000 +#define DNS_ADBFIND_NOVALIDATE 0x00002000 /*% * The answers to queries come back as a list of these. diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 98abe47557..ec23f3b185 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -3265,6 +3265,13 @@ findname(fetchctx_t *fctx, const dns_name_t *name, in_port_t port, options |= DNS_ADBFIND_QUOTAEXEMPT; } + /* + * Pass through NOVALIDATE to any lookups ADB makes. + */ + if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0) { + options |= DNS_ADBFIND_NOVALIDATE; + } + /* * See what we know about this address. */ From 6469ebd08e1fd18ecb87be6d9ec7111d55d4c820 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 22 Jan 2025 20:58:33 +1100 Subject: [PATCH 2/3] Set PENDINGOK if STARTATZONE is set When there are parent and child zones on the same server, the DNSKEY lookup was failing as the pending record we are validating is needed to fetch the DNSKEY records. This change allows that to happen. The caller is already setting STARTATZONE when the name being looked up is a subdomain of the current domain. --- lib/dns/adb.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/lib/dns/adb.c b/lib/dns/adb.c index f4fa79166e..8df847e26f 100644 --- a/lib/dns/adb.c +++ b/lib/dns/adb.c @@ -2649,6 +2649,7 @@ dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype) { dns_adb_t *adb = NULL; dns_fixedname_t foundname; dns_name_t *fname = NULL; + unsigned int options = DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK; REQUIRE(DNS_ADBNAME_VALID(adbname)); @@ -2674,11 +2675,13 @@ dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype) { * any matching static-stub zone without looking into the cache to honor * the configuration on which server we should send queries to. */ - result = - dns_view_find(adb->view, adbname->name, rdtype, now, - DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK, true, - ((adbname->flags & DNS_ADBFIND_STARTATZONE) != 0), - NULL, NULL, fname, &rdataset, NULL); + if ((adbname->flags & DNS_ADBFIND_STARTATZONE) != 0) { + options |= DNS_DBFIND_PENDINGOK; + } + result = dns_view_find( + adb->view, adbname->name, rdtype, now, options, true, + ((adbname->flags & DNS_ADBFIND_STARTATZONE) != 0), NULL, NULL, + fname, &rdataset, NULL); switch (result) { case DNS_R_GLUE: From 88c31fdd52ceee43224b83847247057f8aecbf76 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 22 Jan 2025 23:54:53 +1100 Subject: [PATCH 3/3] Check recovery from spoofed server addresses Named was failing to recover when spoofed nameserver address from a signed zone for a peer zone were returned to a previous CD=1 query. Validate non-glue interior server addresses before using them. --- bin/tests/system/dnssec/ns1/root.db.in | 2 ++ bin/tests/system/dnssec/ns1/sign.sh | 1 + bin/tests/system/dnssec/ns2/named.conf.in | 10 ++++++ .../system/dnssec/ns2/peer-ns-spoof.db.in | 24 ++++++++++++++ .../dnssec/ns2/peer.peer-ns-spoof.db.in | 22 +++++++++++++ bin/tests/system/dnssec/ns2/sign.sh | 33 +++++++++++++++++++ bin/tests/system/dnssec/ns3/named.conf.in | 5 +++ bin/tests/system/dnssec/ns3/sign.sh | 11 +++++++ .../dnssec/ns3/target.peer-ns-spoof.db.in | 20 +++++++++++ bin/tests/system/dnssec/tests.sh | 20 +++++++++++ bin/tests/system/dnssec/tests_sh_dnssec.py | 6 ++++ 11 files changed, 154 insertions(+) create mode 100644 bin/tests/system/dnssec/ns2/peer-ns-spoof.db.in create mode 100644 bin/tests/system/dnssec/ns2/peer.peer-ns-spoof.db.in create mode 100644 bin/tests/system/dnssec/ns3/target.peer-ns-spoof.db.in diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in index ca72f0ee32..4cb21c1826 100644 --- a/bin/tests/system/dnssec/ns1/root.db.in +++ b/bin/tests/system/dnssec/ns1/root.db.in @@ -37,3 +37,5 @@ inprogress. NS ns10.inprogress. ns10.inprogress. A 10.53.0.10 too-many-iterations. NS ns2.too-many-iterations. ns2.too-many-iterations. A 10.53.0.2 +peer-ns-spoof NS ns2.peer-ns-spoof. +ns2.peer-ns-spoof. A 10.53.0.2 diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 0247b9d8b4..b649cd4a09 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -30,6 +30,7 @@ cp "../ns2/dsset-example." . cp "../ns2/dsset-in-addr.arpa." . cp "../ns2/dsset-too-many-iterations." . cp "../ns2/dsset-lazy-ksk." . +cp "../ns2/dsset-peer-ns-spoof." . grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll." cp "../ns6/dsset-optout-tld." . diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 6e9ccf68a9..310b46b322 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -214,4 +214,14 @@ zone "lazy-ksk" { allow-update { any; }; }; +zone "peer-ns-spoof" { + type primary; + file "peer-ns-spoof.db.signed"; +}; + +zone "peer.peer-ns-spoof" { + type primary; + file "peer.peer-ns-spoof.db.signed"; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns2/peer-ns-spoof.db.in b/bin/tests/system/dnssec/ns2/peer-ns-spoof.db.in new file mode 100644 index 0000000000..10300ad781 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/peer-ns-spoof.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 +peer NS ns2.peer +ns2.peer A 10.53.0.2 +target NS ns3.peer diff --git a/bin/tests/system/dnssec/ns2/peer.peer-ns-spoof.db.in b/bin/tests/system/dnssec/ns2/peer.peer-ns-spoof.db.in new file mode 100644 index 0000000000..5d4d1a700b --- /dev/null +++ b/bin/tests/system/dnssec/ns2/peer.peer-ns-spoof.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 9ac57f776c..106f67cbeb 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -27,6 +27,8 @@ for subdomain in secure unsupported disabled enabled; do cp "../ns3/dsset-$subdomain.trusted." . done +cp "../ns3/dsset-target.peer-ns-spoof." . + # Sign the "trusted." and "managed." zones. zone=managed. infile=key.db.in @@ -354,3 +356,34 @@ rm "$rm1.key" rm "$rm1.private" rm "$rm2.key" rm "$rm2.private" + +# +# A zone with where the address for peer zone server is modified and signatures +# stripped. +# +zone=peer.peer-ns-spoof +infile=peer.peer-ns-spoof.db.in +zonefile=peer.peer-ns-spoof.db +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 +"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \ + | awk '$1 == "ns3.peer.peer-ns-spoof." && $4 == "RRSIG" && $5 == "A" { next } + $1 == "ns3.peer.peer-ns-spoof." && $4 == "A" { $5 = "10.53.0.100" } + { print }' >"$zonefile.stripped" +"$CHECKZONE" -D -q -i local "$zone" "$zonefile.signed" \ + | awk '$4 == "SOA" { $7 = $7 + 1; print; next } { print }' >"$zonefile.next" +"$SIGNER" -g -o "$zone" -f "$zonefile.next" "$zonefile.next" >/dev/null 2>&1 +cp "$zonefile.stripped" "$zonefile.signed" + +# +# parent zone for peer.peer-ns-spoof +# +zone=peer-ns-spoof +infile=peer-ns-spoof.db.in +zonefile=peer-ns-spoof.db +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index 293ff2dda8..917e2b7299 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -423,6 +423,11 @@ zone "rsasha1-1024.example" { file "rsasha1-1024.example.db"; }; +zone "target.peer-ns-spoof" { + type primary; + file "target.peer-ns-spoof.db.signed"; +}; + dnssec-policy "siginterval1" { keys { ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index f61ea28381..288ee6bc19 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -701,3 +701,14 @@ zone=rsasha1-1024.example zonefile=rsasha1-1024.example.db awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \ | $DSFROMKEY -f - "$zone" >"dsset-${zone}." + +# +# +# +zone=target.peer-ns-spoof +infile=target.peer-ns-spoof.db.in +zonefile=target.peer-ns-spoof.db +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 diff --git a/bin/tests/system/dnssec/ns3/target.peer-ns-spoof.db.in b/bin/tests/system/dnssec/ns3/target.peer-ns-spoof.db.in new file mode 100644 index 0000000000..2da55f30e2 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/target.peer-ns-spoof.db.in @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3.peer.peer-ns-spoof. diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index fc70f4c568..254ba2a750 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -184,6 +184,26 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) +echo_i "checking recovery from spoofed server addresses ($n)" +ret=0 +# prime cache with spoofed address records +dig_with_opts +cd target.peer-ns-spoof @10.53.0.4 a >dig.out.prime.ns4.test$n || ret=1 +grep "status: SERVFAIL" dig.out.prime.ns4.test$n >/dev/null || ret=1 +rndccmd 10.53.0.4 dumpdb | sed 's/^/ns4 /' | cat_i +mv ns4/named_dump.db ns4/named_dump.db.test$n >/dev/null || ret=1 +grep "10.53.0.100" ns4/named_dump.db.test$n || ret=1 +# reload server with properly signed zone +cp ns2/peer.peer-ns-spoof.db.next ns2/peer.peer-ns-spoof.db.signed +nextpart ns2/named.run >/dev/null +rndccmd 10.53.0.2 reload peer.peer-ns-spoof | sed 's/^/ns2 /' | cat_i +wait_for_log 5 "zone peer.peer-ns-spoof/IN: loaded serial 2000042408" ns2/named.run || ret=1 +dig_with_opts +noauth test.target.peer-ns-spoof @10.53.0.4 txt >dig.out.ns4.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags: qr rd ra ad;" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)" ret=0 grep "query 'example/DS/IN' approved" ns1/named.run >/dev/null && ret=1 diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index c7e4d9df7e..e00d160cd7 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -55,6 +55,10 @@ pytestmark = pytest.mark.extra_artifacts( "ns2/lazy-ksk.db", "ns2/managed.db", "ns2/nsec3chain-test.db", + "ns2/peer-ns-spoof.db", + "ns2/peer.peer-ns-spoof.db", + "ns2/peer.peer-ns-spoof.db.next", + "ns2/peer.peer-ns-spoof.db.stripped", "ns2/settime.out.updatecheck-kskonly.secure.ksk", "ns2/settime.out.updatecheck-kskonly.secure.zsk", "ns2/single-nsec3.db", @@ -121,6 +125,7 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/siginterval.example.db", "ns3/split-dnssec.example.db", "ns3/split-smart.example.db", + "ns3/target.peer-ns-spoof.db", "ns3/trusted-future.key", "ns3/ttlpatch.example.db", "ns3/ttlpatch.example.db.patched", @@ -136,6 +141,7 @@ pytestmark = pytest.mark.extra_artifacts( "ns4/managed.conf", "ns4/managed-keys.bind", "ns4/named.secroots", + "ns4/named_dump.db", "ns4/named_dump.db.*", "ns5/revoked.conf", "ns5/trusted.conf",