upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-15 22:09:31 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/tests/system/masterformat/ns4/named2.conf.in
Matthijs Mekking 4e46453035
Add new test cases with DNSSEC signing 
kasp-max-types-per-name (named2.conf.in):
An unsigned zone with RR type count on a name right below the
configured limit. Then sign the zone using KASP. Adding a RRSIG would
push it over the RR type limit per name. Signing should fail, but
the server should not crash, nor end up in infinite resign-attempt loop.

kasp-max-records-per-type-dnskey (named1.conf.in):
Test with low max-record-per-rrset limit and a DNSSEC policy requiring
more than the limit. Signing should fail.

kasp-max-types-per-name (named1.conf.in):
Each RRSIG(covered type) is counted as an individual RR type. Test the
corner case where a signed zone, which is just below the limit-1,
adds a new type - doing so would trigger signing for the new type and
thus increase the number of "types" by 2, pushing it over the limit
again.
2024-06-10 16:55:11 +02:00

53 lines
1.2 KiB
Text
Raw Blame History

/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS4
options {
pid-file "named.pid";
listen-on port @PORT@ { 10.53.0.4; };
port @PORT@;
listen-on-v6 { none; };
recursion no;
notify no;
session-keyfile "session.key";
servfail-ttl 0;
dnssec-validation no;
/* Ridicously low on purpose */
max-records-per-type 1;
max-types-per-name 9;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/*
* The template zone is fine, but when adding the DNSSEC records to the apex,
* the max-types-per-name will be exceeded, meaning signing should fail.
*/
zone "kasp-max-types-per-name" {
type primary;
file "kasp-max-types-per-name.db.raw";
masterfile-format raw;
dnssec-policy "default";
inline-signing no;
allow-update { any; };
allow-transfer { any; };
};
Reference in a new issue View git blame Copy permalink