From f6cb154b658f8ab74511bd001671303876586a24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Mon, 3 Nov 2025 14:59:00 +0100 Subject: [PATCH] Add a template for TA and generate it from isctest.kasp.Key Add isctest.kasp.Key.into_ta() method which convert the key into DS / DNSKEY trust anchor for BIND config. Add a shared template trusted.conf.j2 which can be linked to in tests to create the trust anchor configuration from trust anchor data returned from bootstrap() function. This is basically a python replacement for the keyfile_to_static_ds (and friends) from the conf.sh shell framework. --- bin/tests/system/_common/trusted.conf.j2 | 18 ++++++++++++++++++ bin/tests/system/isctest/kasp.py | 16 ++++++++++++++++ bin/tests/system/isctest/template.py | 8 ++++++++ 3 files changed, 42 insertions(+) create mode 100644 bin/tests/system/_common/trusted.conf.j2 diff --git a/bin/tests/system/_common/trusted.conf.j2 b/bin/tests/system/_common/trusted.conf.j2 new file mode 100644 index 0000000000..fef3a774e7 --- /dev/null +++ b/bin/tests/system/_common/trusted.conf.j2 @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +trust-anchors { +{% for ta in trust_anchors %} + "@ta.domain@" @ta.type@ @ta.contents@; +{% endfor %} +}; diff --git a/bin/tests/system/isctest/kasp.py b/bin/tests/system/isctest/kasp.py index 517fe1c5d9..a86277e50e 100644 --- a/bin/tests/system/isctest/kasp.py +++ b/bin/tests/system/isctest/kasp.py @@ -20,6 +20,8 @@ import time from typing import Dict, List, Optional, Tuple, Union import dns +import dns.dnssec +from dns.dnssectypes import DSDigest import dns.rdatatype import dns.rrset import dns.tsig @@ -30,6 +32,7 @@ import isctest.log import isctest.query import isctest.util from isctest.instance import NamedInstance +from isctest.template import TrustAnchor from isctest.vars.algorithms import Algorithm, ALL_ALGORITHMS_BY_NUM DEFAULT_TTL = 300 @@ -464,6 +467,19 @@ class Key: ), f"DNSKEY not found in {self.keyfile}" return dnskey_rr + def into_ta(self, ta_type: str, dsdigest=DSDigest.SHA256) -> TrustAnchor: + dnskey = self.dnskey + if ta_type in ["static-ds", "initial-ds"]: + ds = dns.dnssec.make_ds(dnskey.name, dnskey[0], dsdigest) + parts = str(ds).split() + contents = " ".join(parts[:3]) + f' "{parts[3]}"' + elif ta_type in ["static-key", "initial-key"]: + parts = str(dnskey).split() + contents = " ".join(parts[4:7]) + f' "{"".join(parts[7:])}"' + else: + raise ValueError(f"invalid trust anchor type: {ta_type}") + return TrustAnchor(str(dnskey.name), ta_type, contents) + def is_ksk(self) -> bool: return self.get_metadata("KSK") == "yes" diff --git a/bin/tests/system/isctest/template.py b/bin/tests/system/isctest/template.py index 7ac7c8b4f0..4e27a219d1 100644 --- a/bin/tests/system/isctest/template.py +++ b/bin/tests/system/isctest/template.py @@ -11,6 +11,7 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +from dataclasses import dataclass from pathlib import Path from typing import Any, Dict, Optional, Union @@ -79,3 +80,10 @@ class TemplateEngine: ] for template in templates: self.render(template[:-3], data) + + +@dataclass +class TrustAnchor: + domain: str + type: str + contents: str