Test invalid DSYNC RRset is rejected

The RFC says There MUST NOT be more than one DSYNC record for each combination of RRtype and Scheme. If we encounter more we should drop the response, as the DSYNC RRset is invalid.
2026-06-11 04:50:01 -04:00 · 2025-12-12 15:49:19 +01:00 · 2025-12-12 15:49:19 +01:00 · e69eb0528a
commit e69eb0528a
parent 35a7024e8c
12 changed files with 150 additions and 1 deletions
--- a/bin/tests/system/multisigner/ns1/root.db.in
+++ b/bin/tests/system/multisigner/ns1/root.db.in
@ -23,5 +23,8 @@ a.root-servers.nil.	A	10.53.0.1
 multisigner.		NS	ns2.multisigner.
 ns2.multisigner.	A	10.53.0.2

+bad-dsync.		NS	ns2.bad-dsync.
+ns2.bad-dsync.		A	10.53.0.2
+
 secondary.		NS	ns2.secondary.
 ns2.secondary.		A	10.53.0.2
--- a/bin/tests/system/multisigner/ns1/setup.sh
+++ b/bin/tests/system/multisigner/ns1/setup.sh
@ -22,7 +22,7 @@ zonefile=root.db

 echo_i "ns1/setup.sh"

-for tld in multisigner secondary; do
+for tld in multisigner bad-dsync secondary; do
  cp "../ns2/dsset-${tld}." .
 done

--- a/bin/tests/system/multisigner/ns2/bad-dsync.db.in.j2
+++ b/bin/tests/system/multisigner/ns2/bad-dsync.db.in.j2
@ -0,0 +1,35 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+$ORIGIN bad-dsync.
+
+bad-dsync.	IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns2
+ns2			A	10.53.0.2
+
+scanner			A	10.53.0.2
+
+model2			NS	ns3
+			NS	ns4
+
+ns3.model2		A	10.53.0.3
+ns4.model2		A	10.53.0.4
+
+*._dsync		DSYNC	CDS NOTIFY @PORT@ scanner1
+*._dsync		DSYNC	CDS NOTIFY @PORT@ scanner2
--- a/bin/tests/system/multisigner/ns2/named.conf.j2
+++ b/bin/tests/system/multisigner/ns2/named.conf.j2
@ -40,6 +40,11 @@ zone "multisigner" {
 	file "multisigner.db.signed";
 };

+zone "bad-dsync" {
+	type primary;
+	file "bad-dsync.db.signed";
+};
+
 zone "secondary" {
 	type primary;
 	file "secondary.db.signed";
--- a/bin/tests/system/multisigner/ns2/setup.sh
+++ b/bin/tests/system/multisigner/ns2/setup.sh
@ -35,4 +35,5 @@ setup() {
 }

 setup "multisigner"
+setup "bad-dsync"
 setup "secondary"
--- a/bin/tests/system/multisigner/ns3/model2.bad-dsync.db
+++ b/bin/tests/system/multisigner/ns3/model2.bad-dsync.db
@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
--- a/bin/tests/system/multisigner/ns3/named.conf.j2
+++ b/bin/tests/system/multisigner/ns3/named.conf.j2
@ -46,6 +46,14 @@ zone "model2.multisigner." {
 	inline-signing no;
 };

+zone "model2.bad-dsync." {
+	type primary;
+	allow-update { any; };
+	file "model2.bad-dsync.db";
+	dnssec-policy model2;
+	inline-signing no;
+};
+
 zone "model2.secondary." {
 	type secondary;
 	primaries { 10.53.0.5; };
--- a/bin/tests/system/multisigner/ns3/setup.sh
+++ b/bin/tests/system/multisigner/ns3/setup.sh
@ -29,6 +29,15 @@ $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1
 $DSFROMKEY $KSK.key >dsset-ns3-${zone}.

+zone="model2.bad-dsync"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone)
+ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone)
+$SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1
+$DSFROMKEY $KSK.key >dsset-ns3-${zone}.
+
 zone="model2.secondary"
 echo_i "setting up zone: $zone"
 zonefile="${zone}.db"
--- a/bin/tests/system/multisigner/ns4/model2.bad-dsync.db
+++ b/bin/tests/system/multisigner/ns4/model2.bad-dsync.db
@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns4
+ns4			A	10.53.0.4
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
--- a/bin/tests/system/multisigner/ns4/named.conf.j2
+++ b/bin/tests/system/multisigner/ns4/named.conf.j2
@ -46,6 +46,14 @@ zone "model2.multisigner." {
 	inline-signing yes;
 };

+zone "model2.bad-dsync." {
+	type primary;
+	allow-update { any; };
+	file "model2.bad-dsync.db";
+	dnssec-policy model2;
+	inline-signing yes;
+};
+
 zone "model2.secondary." {
 	type secondary;
 	primaries { 10.53.0.5; };
--- a/bin/tests/system/multisigner/ns4/setup.sh
+++ b/bin/tests/system/multisigner/ns4/setup.sh
@ -29,6 +29,15 @@ $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1
 $DSFROMKEY $KSK.key >dsset-ns4-${zone}.

+zone="model2.bad-dsync"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone)
+ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone)
+$SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1
+$DSFROMKEY $KSK.key >dsset-ns4-${zone}.
+
 zone="model2.secondary"
 echo_i "setting up zone: $zone"
 zonefile="${zone}.db"
--- a/bin/tests/system/multisigner/tests_multisigner.py
+++ b/bin/tests/system/multisigner/tests_multisigner.py
@ -595,6 +595,25 @@ def test_multisigner(ns2, ns3, ns4):
    check_no_dnssec_in_journal(ns4, zone)


+def test_multisigner_bad_dsync(ns3, ns4):
+    zone = "model2.bad-dsync"
+
+    # First make sure the zone is properly signed.
+    isctest.log.info(f"basic DNSSEC tests for {zone}")
+    isctest.kasp.wait_keymgr_done(ns3, zone)
+    isctest.kasp.wait_keymgr_done(ns4, zone)
+
+    with ns3.watch_log_from_start() as watcher:
+        watcher.wait_for_line(
+            f"zone {zone}/IN: dsyncfetch: multiple DSYNC records matching NOTIFY scheme and CDS RRtype, dropping response"
+        )
+
+    with ns4.watch_log_from_start() as watcher:
+        watcher.wait_for_line(
+            f"zone {zone}/IN (signed): dsyncfetch: multiple DSYNC records matching NOTIFY scheme and CDS RRtype, dropping response"
+        )
+
+
 def test_multisigner_secondary(ns2, ns3, ns4, ns5):
    zone = "model2.secondary"
    keyprops = [