From e69eb0528a8fa301bf12fc5832693ef55328234c Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 12 Dec 2025 15:49:19 +0100 Subject: [PATCH] Test invalid DSYNC RRset is rejected The RFC says There MUST NOT be more than one DSYNC record for each combination of RRtype and Scheme. If we encounter more we should drop the response, as the DSYNC RRset is invalid. --- bin/tests/system/multisigner/ns1/root.db.in | 3 ++ bin/tests/system/multisigner/ns1/setup.sh | 2 +- .../system/multisigner/ns2/bad-dsync.db.in.j2 | 35 +++++++++++++++++++ .../system/multisigner/ns2/named.conf.j2 | 5 +++ bin/tests/system/multisigner/ns2/setup.sh | 1 + .../multisigner/ns3/model2.bad-dsync.db | 26 ++++++++++++++ .../system/multisigner/ns3/named.conf.j2 | 8 +++++ bin/tests/system/multisigner/ns3/setup.sh | 9 +++++ .../multisigner/ns4/model2.bad-dsync.db | 26 ++++++++++++++ .../system/multisigner/ns4/named.conf.j2 | 8 +++++ bin/tests/system/multisigner/ns4/setup.sh | 9 +++++ .../system/multisigner/tests_multisigner.py | 19 ++++++++++ 12 files changed, 150 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/multisigner/ns2/bad-dsync.db.in.j2 create mode 100644 bin/tests/system/multisigner/ns3/model2.bad-dsync.db create mode 100644 bin/tests/system/multisigner/ns4/model2.bad-dsync.db diff --git a/bin/tests/system/multisigner/ns1/root.db.in b/bin/tests/system/multisigner/ns1/root.db.in index 395e28089e..e96ade64a8 100644 --- a/bin/tests/system/multisigner/ns1/root.db.in +++ b/bin/tests/system/multisigner/ns1/root.db.in @@ -23,5 +23,8 @@ a.root-servers.nil. A 10.53.0.1 multisigner. NS ns2.multisigner. ns2.multisigner. A 10.53.0.2 +bad-dsync. NS ns2.bad-dsync. +ns2.bad-dsync. A 10.53.0.2 + secondary. NS ns2.secondary. ns2.secondary. A 10.53.0.2 diff --git a/bin/tests/system/multisigner/ns1/setup.sh b/bin/tests/system/multisigner/ns1/setup.sh index 293f6ff192..b6cf3028d1 100644 --- a/bin/tests/system/multisigner/ns1/setup.sh +++ b/bin/tests/system/multisigner/ns1/setup.sh @@ -22,7 +22,7 @@ zonefile=root.db echo_i "ns1/setup.sh" -for tld in multisigner secondary; do +for tld in multisigner bad-dsync secondary; do cp "../ns2/dsset-${tld}." . done diff --git a/bin/tests/system/multisigner/ns2/bad-dsync.db.in.j2 b/bin/tests/system/multisigner/ns2/bad-dsync.db.in.j2 new file mode 100644 index 0000000000..b84eb5afec --- /dev/null +++ b/bin/tests/system/multisigner/ns2/bad-dsync.db.in.j2 @@ -0,0 +1,35 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +$ORIGIN bad-dsync. + +bad-dsync. IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 + +scanner A 10.53.0.2 + +model2 NS ns3 + NS ns4 + +ns3.model2 A 10.53.0.3 +ns4.model2 A 10.53.0.4 + +*._dsync DSYNC CDS NOTIFY @PORT@ scanner1 +*._dsync DSYNC CDS NOTIFY @PORT@ scanner2 diff --git a/bin/tests/system/multisigner/ns2/named.conf.j2 b/bin/tests/system/multisigner/ns2/named.conf.j2 index 951c840d49..f2ef9302af 100644 --- a/bin/tests/system/multisigner/ns2/named.conf.j2 +++ b/bin/tests/system/multisigner/ns2/named.conf.j2 @@ -40,6 +40,11 @@ zone "multisigner" { file "multisigner.db.signed"; }; +zone "bad-dsync" { + type primary; + file "bad-dsync.db.signed"; +}; + zone "secondary" { type primary; file "secondary.db.signed"; diff --git a/bin/tests/system/multisigner/ns2/setup.sh b/bin/tests/system/multisigner/ns2/setup.sh index 025c5d3204..4fd349125d 100644 --- a/bin/tests/system/multisigner/ns2/setup.sh +++ b/bin/tests/system/multisigner/ns2/setup.sh @@ -35,4 +35,5 @@ setup() { } setup "multisigner" +setup "bad-dsync" setup "secondary" diff --git a/bin/tests/system/multisigner/ns3/model2.bad-dsync.db b/bin/tests/system/multisigner/ns3/model2.bad-dsync.db new file mode 100644 index 0000000000..5850e016b9 --- /dev/null +++ b/bin/tests/system/multisigner/ns3/model2.bad-dsync.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/multisigner/ns3/named.conf.j2 b/bin/tests/system/multisigner/ns3/named.conf.j2 index fc51c882f4..b56f01bf27 100644 --- a/bin/tests/system/multisigner/ns3/named.conf.j2 +++ b/bin/tests/system/multisigner/ns3/named.conf.j2 @@ -46,6 +46,14 @@ zone "model2.multisigner." { inline-signing no; }; +zone "model2.bad-dsync." { + type primary; + allow-update { any; }; + file "model2.bad-dsync.db"; + dnssec-policy model2; + inline-signing no; +}; + zone "model2.secondary." { type secondary; primaries { 10.53.0.5; }; diff --git a/bin/tests/system/multisigner/ns3/setup.sh b/bin/tests/system/multisigner/ns3/setup.sh index 2194f4e8d8..50f26480f7 100644 --- a/bin/tests/system/multisigner/ns3/setup.sh +++ b/bin/tests/system/multisigner/ns3/setup.sh @@ -29,6 +29,15 @@ $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 $DSFROMKEY $KSK.key >dsset-ns3-${zone}. +zone="model2.bad-dsync" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone) +$SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 +$DSFROMKEY $KSK.key >dsset-ns3-${zone}. + zone="model2.secondary" echo_i "setting up zone: $zone" zonefile="${zone}.db" diff --git a/bin/tests/system/multisigner/ns4/model2.bad-dsync.db b/bin/tests/system/multisigner/ns4/model2.bad-dsync.db new file mode 100644 index 0000000000..86a1708b45 --- /dev/null +++ b/bin/tests/system/multisigner/ns4/model2.bad-dsync.db @@ -0,0 +1,26 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns4 +ns4 A 10.53.0.4 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/multisigner/ns4/named.conf.j2 b/bin/tests/system/multisigner/ns4/named.conf.j2 index 017dd6c50a..3d551d04c4 100644 --- a/bin/tests/system/multisigner/ns4/named.conf.j2 +++ b/bin/tests/system/multisigner/ns4/named.conf.j2 @@ -46,6 +46,14 @@ zone "model2.multisigner." { inline-signing yes; }; +zone "model2.bad-dsync." { + type primary; + allow-update { any; }; + file "model2.bad-dsync.db"; + dnssec-policy model2; + inline-signing yes; +}; + zone "model2.secondary." { type secondary; primaries { 10.53.0.5; }; diff --git a/bin/tests/system/multisigner/ns4/setup.sh b/bin/tests/system/multisigner/ns4/setup.sh index d50d3bd26c..bb13b8bede 100644 --- a/bin/tests/system/multisigner/ns4/setup.sh +++ b/bin/tests/system/multisigner/ns4/setup.sh @@ -29,6 +29,15 @@ $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 $DSFROMKEY $KSK.key >dsset-ns4-${zone}. +zone="model2.bad-dsync" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone) +$SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 +$DSFROMKEY $KSK.key >dsset-ns4-${zone}. + zone="model2.secondary" echo_i "setting up zone: $zone" zonefile="${zone}.db" diff --git a/bin/tests/system/multisigner/tests_multisigner.py b/bin/tests/system/multisigner/tests_multisigner.py index bc53c24975..15726f1eb1 100644 --- a/bin/tests/system/multisigner/tests_multisigner.py +++ b/bin/tests/system/multisigner/tests_multisigner.py @@ -595,6 +595,25 @@ def test_multisigner(ns2, ns3, ns4): check_no_dnssec_in_journal(ns4, zone) +def test_multisigner_bad_dsync(ns3, ns4): + zone = "model2.bad-dsync" + + # First make sure the zone is properly signed. + isctest.log.info(f"basic DNSSEC tests for {zone}") + isctest.kasp.wait_keymgr_done(ns3, zone) + isctest.kasp.wait_keymgr_done(ns4, zone) + + with ns3.watch_log_from_start() as watcher: + watcher.wait_for_line( + f"zone {zone}/IN: dsyncfetch: multiple DSYNC records matching NOTIFY scheme and CDS RRtype, dropping response" + ) + + with ns4.watch_log_from_start() as watcher: + watcher.wait_for_line( + f"zone {zone}/IN (signed): dsyncfetch: multiple DSYNC records matching NOTIFY scheme and CDS RRtype, dropping response" + ) + + def test_multisigner_secondary(ns2, ns3, ns4, ns5): zone = "model2.secondary" keyprops = [