diff --git a/bin/tests/system/multisigner/ns1/root.db.in b/bin/tests/system/multisigner/ns1/root.db.in index 395e28089e..e96ade64a8 100644 --- a/bin/tests/system/multisigner/ns1/root.db.in +++ b/bin/tests/system/multisigner/ns1/root.db.in @@ -23,5 +23,8 @@ a.root-servers.nil. A 10.53.0.1 multisigner. NS ns2.multisigner. ns2.multisigner. A 10.53.0.2 +bad-dsync. NS ns2.bad-dsync. +ns2.bad-dsync. A 10.53.0.2 + secondary. NS ns2.secondary. ns2.secondary. A 10.53.0.2 diff --git a/bin/tests/system/multisigner/ns1/setup.sh b/bin/tests/system/multisigner/ns1/setup.sh index 293f6ff192..b6cf3028d1 100644 --- a/bin/tests/system/multisigner/ns1/setup.sh +++ b/bin/tests/system/multisigner/ns1/setup.sh @@ -22,7 +22,7 @@ zonefile=root.db echo_i "ns1/setup.sh" -for tld in multisigner secondary; do +for tld in multisigner bad-dsync secondary; do cp "../ns2/dsset-${tld}." . done diff --git a/bin/tests/system/multisigner/ns2/bad-dsync.db.in.j2 b/bin/tests/system/multisigner/ns2/bad-dsync.db.in.j2 new file mode 100644 index 0000000000..b84eb5afec --- /dev/null +++ b/bin/tests/system/multisigner/ns2/bad-dsync.db.in.j2 @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +$ORIGIN bad-dsync. + +bad-dsync. IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 + +scanner A 10.53.0.2 + +model2 NS ns3 + NS ns4 + +ns3.model2 A 10.53.0.3 +ns4.model2 A 10.53.0.4 + +*._dsync DSYNC CDS NOTIFY @PORT@ scanner1 +*._dsync DSYNC CDS NOTIFY @PORT@ scanner2 diff --git a/bin/tests/system/multisigner/ns2/named.conf.j2 b/bin/tests/system/multisigner/ns2/named.conf.j2 index 951c840d49..f2ef9302af 100644 --- a/bin/tests/system/multisigner/ns2/named.conf.j2 +++ b/bin/tests/system/multisigner/ns2/named.conf.j2 @@ -40,6 +40,11 @@ zone "multisigner" { file "multisigner.db.signed"; }; +zone "bad-dsync" { + type primary; + file "bad-dsync.db.signed"; +}; + zone "secondary" { type primary; file "secondary.db.signed"; diff --git a/bin/tests/system/multisigner/ns2/setup.sh b/bin/tests/system/multisigner/ns2/setup.sh index 025c5d3204..4fd349125d 100644 --- a/bin/tests/system/multisigner/ns2/setup.sh +++ b/bin/tests/system/multisigner/ns2/setup.sh @@ -35,4 +35,5 @@ setup() { } setup "multisigner" +setup "bad-dsync" setup "secondary" diff --git a/bin/tests/system/multisigner/ns3/model2.bad-dsync.db b/bin/tests/system/multisigner/ns3/model2.bad-dsync.db new file mode 100644 index 0000000000..5850e016b9 --- /dev/null +++ b/bin/tests/system/multisigner/ns3/model2.bad-dsync.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/multisigner/ns3/named.conf.j2 b/bin/tests/system/multisigner/ns3/named.conf.j2 index fc51c882f4..b56f01bf27 100644 --- a/bin/tests/system/multisigner/ns3/named.conf.j2 +++ b/bin/tests/system/multisigner/ns3/named.conf.j2 @@ -46,6 +46,14 @@ zone "model2.multisigner." { inline-signing no; }; +zone "model2.bad-dsync." { + type primary; + allow-update { any; }; + file "model2.bad-dsync.db"; + dnssec-policy model2; + inline-signing no; +}; + zone "model2.secondary." { type secondary; primaries { 10.53.0.5; }; diff --git a/bin/tests/system/multisigner/ns3/setup.sh b/bin/tests/system/multisigner/ns3/setup.sh index 2194f4e8d8..50f26480f7 100644 --- a/bin/tests/system/multisigner/ns3/setup.sh +++ b/bin/tests/system/multisigner/ns3/setup.sh @@ -29,6 +29,15 @@ $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 $DSFROMKEY $KSK.key >dsset-ns3-${zone}. +zone="model2.bad-dsync" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone) +$SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 +$DSFROMKEY $KSK.key >dsset-ns3-${zone}. + zone="model2.secondary" echo_i "setting up zone: $zone" zonefile="${zone}.db" diff --git a/bin/tests/system/multisigner/ns4/model2.bad-dsync.db b/bin/tests/system/multisigner/ns4/model2.bad-dsync.db new file mode 100644 index 0000000000..86a1708b45 --- /dev/null +++ b/bin/tests/system/multisigner/ns4/model2.bad-dsync.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns4 +ns4 A 10.53.0.4 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/multisigner/ns4/named.conf.j2 b/bin/tests/system/multisigner/ns4/named.conf.j2 index 017dd6c50a..3d551d04c4 100644 --- a/bin/tests/system/multisigner/ns4/named.conf.j2 +++ b/bin/tests/system/multisigner/ns4/named.conf.j2 @@ -46,6 +46,14 @@ zone "model2.multisigner." { inline-signing yes; }; +zone "model2.bad-dsync." { + type primary; + allow-update { any; }; + file "model2.bad-dsync.db"; + dnssec-policy model2; + inline-signing yes; +}; + zone "model2.secondary." { type secondary; primaries { 10.53.0.5; }; diff --git a/bin/tests/system/multisigner/ns4/setup.sh b/bin/tests/system/multisigner/ns4/setup.sh index d50d3bd26c..bb13b8bede 100644 --- a/bin/tests/system/multisigner/ns4/setup.sh +++ b/bin/tests/system/multisigner/ns4/setup.sh @@ -29,6 +29,15 @@ $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 $DSFROMKEY $KSK.key >dsset-ns4-${zone}. +zone="model2.bad-dsync" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone) +$SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 +$DSFROMKEY $KSK.key >dsset-ns4-${zone}. + zone="model2.secondary" echo_i "setting up zone: $zone" zonefile="${zone}.db" diff --git a/bin/tests/system/multisigner/tests_multisigner.py b/bin/tests/system/multisigner/tests_multisigner.py index bc53c24975..15726f1eb1 100644 --- a/bin/tests/system/multisigner/tests_multisigner.py +++ b/bin/tests/system/multisigner/tests_multisigner.py @@ -595,6 +595,25 @@ def test_multisigner(ns2, ns3, ns4): check_no_dnssec_in_journal(ns4, zone) +def test_multisigner_bad_dsync(ns3, ns4): + zone = "model2.bad-dsync" + + # First make sure the zone is properly signed. + isctest.log.info(f"basic DNSSEC tests for {zone}") + isctest.kasp.wait_keymgr_done(ns3, zone) + isctest.kasp.wait_keymgr_done(ns4, zone) + + with ns3.watch_log_from_start() as watcher: + watcher.wait_for_line( + f"zone {zone}/IN: dsyncfetch: multiple DSYNC records matching NOTIFY scheme and CDS RRtype, dropping response" + ) + + with ns4.watch_log_from_start() as watcher: + watcher.wait_for_line( + f"zone {zone}/IN (signed): dsyncfetch: multiple DSYNC records matching NOTIFY scheme and CDS RRtype, dropping response" + ) + + def test_multisigner_secondary(ns2, ns3, ns4, ns5): zone = "model2.secondary" keyprops = [