upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
bind9/bin/tests/system/checkds
History
Nicki Křížek f144db6b68 Remove license headers from test zone files 
The removal has been done with the following command:

find bin/tests/system/ -type f -name "*.db*" -exec sed -i '1,10d; 11{/^$/d}' {} +

The following files have been handled manually, since they already
didn't have the license info, or had it in a slightly different format:

bin/tests/system/ssutoctou/ns1/example.db.in
bin/tests/system/checkzone/zones/crashzone.db
bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db
bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db
bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db
bin/tests/system/legacy/ns6/edns512.db.signed
2026-03-31 17:57:58 +02:00
..
ns1 Remove license headers from test zone files 2026-03-31 17:57:58 +02:00
ns2 Remove license headers from test zone files 2026-03-31 17:57:58 +02:00
ns3 Remove license headers from named.conf test files 2026-03-31 17:57:58 +02:00
ns4 Remove license headers from named.conf test files 2026-03-31 17:57:58 +02:00
ns5 Remove license headers from test zone files 2026-03-31 17:57:58 +02:00
ns6 Remove license headers from named.conf test files 2026-03-31 17:57:58 +02:00
ns7 Remove license headers from named.conf test files 2026-03-31 17:57:58 +02:00
ns8 Remove license headers from named.conf test files 2026-03-31 17:57:58 +02:00
ns9 Remove license headers from test zone files 2026-03-31 17:57:58 +02:00
ns10 Remove license headers from named.conf test files 2026-03-31 17:57:58 +02:00
README Add two checkds test servers 2023-04-03 14:01:22 +00:00
setup.sh Replace .in with .j2 templates for simple copy_setports cases 2025-12-09 14:23:14 +01:00
tests_checkds.py Clean up imports of dnspython modules 2026-02-20 15:17:32 +01:00

README 

Copyright (C) Internet Systems Consortium, Inc. ("ISC")

SPDX-License-Identifier: MPL-2.0

This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0.  If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.

See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.

The test setup for the checkds tests.

These servers are parent servers:
- ns1 is the root server.

- ns2 is a primary authoritative server that serves the parent zone for zones
  configured in ns9.
- ns4 is the secondary server for ns2.
- ns8 is the secondary server for ns2 that is not part of the NS RRset,
  used for testing explicit parental-agents.

- ns5 is a primary authoritative server that serves the parent zone for zones
  configured in ns9, but this one does not publish DS records (to test cases
  where the DS is missing and the DS needs to be withdrawn).
- ns7 is the secondary server for ns5.
- ns10 is the secondary server for ns5 that is not part of the NS RRset,
  used for testing explicit parental-agents.

- ns6 is an authoritative server for a different zone, to test badly configured
  parental agents.

- ns3 is a resolver that can be configured as a parental agent.

- Finally, ns9 is the authoritative server for the various DNSSEC enabled test
  domains.

We need multiple test cases for testing the "checkds" functionality. Basically,
the behavior of "checkds" is of importance in three cases:

1. Enabling DNSSEC
2. KSK rollover
3. Going insecure

All these three cases involve publishing DS records into the parent, and
withdrawing them. The named instance is responsible for checking that the
relevant DS records are published or removed from the parent zone. Therefor,
it needs to know what the parental agents are (the servers that it can send
the DS queries to).

Then there are two ways of retrieving parental agents, either through explicit
configuration ("checkds explicit;"), or through discovery ("checkds yes;"). In
the latter case, the parental agents are retrieved by querying for the parent NS
RRset.

The third value is "checkds no;", which disables the feature.

Depending on the DS publication status, the DS state of the key needs to be
updated. In case of DS publication, the "DSPublish" state should be set, only
if all parental agents have the relevant DS published. In case of DS withdrawal,
the "DSRemoved" state should be set, only if none of the parental agents have
the relevant DS in their zone.

Regardless of how parental agents are retrieved, we identify the following test
cases:

1.	Enabling DNSSEC

1.1.	- With one parental agent
1.1.1.	  - DS is correctly published in the parent:		DSPublish
1.1.2.	  - DS is not (yet) published in the parent:		!DSPublish
1.1.3.	  - The parental agent is badly configured:		!DSPublish
1.1.4.	  - DS is published, but has bogus signature:		!DSPublish

1.2.	- With multiple parental agents
1.2.1.	  - DS is correctly published in all parents:		DSPublish
1.2.2.	  - DS is not (yet) published in some parents:		!DSPublish
1.2.3.	  - One parental agent is badly configured:		!DSPublish
1.2.4.	  - DS is completely published, bogus signature:	!DSPublish

2.	Going insecure

2.1.	- With one parental agent
2.1.1.	  - DS is correctly withdrawn from the parent:		DSRemoved
2.1.2.	  - DS is (still) published in the parent:		!DSRemoved
2.1.3.	  - The parental agent is badly configured:		!DSRemoved
2.1.4.	  - DS is withdrawn, but has bogus signature:		!DSRemoved

2.2.	- With multiple parental agents
2.2.1.	  - DS is correctly withdrawn from all parents:		DSRemoved
2.2.2.	  - DS is not (yet) withdrawn from some parents:	!DSRemoved
2.2.3.	  - One parental agent is badly configured:		!DSRemoved
2.2.4.	  - DS is removed completely, bogus signature:		!DSRemoved

We deliberately don't test the "KSK Rollover" case in this system test as this
can be considered as the same as "Enabling DNSSEC" for one key and
"Going insecure" for another case. In other words, it is covered by the two
other scenarios (although we might still add the test cases in the future).