ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Add checkds test case with resolver parental-agent

Browse Source 
Add a test case for a server that uses a resolver as an parental-agent.

We need two root servers, ns1 and ns10, one that delegates to the
'checkds' tld with the DS published (ns2), and one that delegates to
the 'checkds' tld with the DS removed (ns5). Both root zones are
being setup in the 'ns1/setup.sh' script.

We also need two resolvers, ns3 and ns8, that use different root hints
(one uses ns1 address as a hint, the other uses ns10).

Then add the checks to test_checkds.py is similar to the existing tests.

Update 'types' because for zones that have the DS withdrawn (or to be
withdrawn), the CDS and CDNSKEY records should not be published and
thus should not be in the NSEC bitmap.
This commit is contained in:
Matthijs Mekking
2023-01-13 14:13:59 +01:00
parent e54215e048
commit 0b9a9f9955
16 changed files with 314 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
bin/tests/system/checkds/tests_checkds.py
View File

@@ -36,7 +36,7 @@ def has_signed_apex_nsec(zone, response):
ttl = 300
nextname = "a."
types = "NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY"
types = "NS SOA RRSIG NSEC DNSKEY"
match = "{0} {1} IN NSEC {2}{0} {3}".format(zone, ttl, nextname, types)
sig = "{0} {1} IN RRSIG NSEC 13 2 300".format(zone, ttl)
@@ -346,6 +346,15 @@ def test_checkds_dspublished(named_port):
)
keystate_check(parent, "bad2-dspublished.checkds.", "!DSPublish")
# Check with resolver parental-agent.
zone_check(server, "resolver-dspublished.checkds.")
wait_for_log(
"ns9/named.run",
"zone resolver-dspublished.checkds/IN (signed): checkds: "
"DS response from 10.53.0.3",
)
keystate_check(parent, "resolver-dspublished.checkds.", "DSPublish")
# TBD: DS published in all parents, but one has bogus signature.
# TBD: Check with TSIG
@@ -444,4 +453,13 @@ def test_checkds_dswithdrawn(named_port):
)
keystate_check(parent, "bad2-dswithdrawn.checkds.", "!DSRemoved")
# Check with resolver parental-agent.
zone_check(server, "resolver-dswithdrawn.checkds.")
wait_for_log(
"ns9/named.run",
"zone resolver-dswithdrawn.checkds/IN (signed): checkds: "
"empty DS response from 10.53.0.8",
)
keystate_check(parent, "resolver-dswithdrawn.checkds.", "DSRemoved")
# TBD: DS withdrawn from all parents, but one has bogus signature.