upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-11 10:40:56 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/tests/system/mkeys
History
Michał Kępień e4a544e989 Disable SERVFAIL cache for ns5 in the "mkeys" system test 
The "check key refreshes are resumed after root servers become
available" check may trigger a false positive for the "mkeys" system
test if the second example/TXT query sent by dig is received by ns5 less
than a second after it receives a REFUSED response to the upstream query
it sends to ns1 in order to resolve the first example/TXT query sent by
dig.  Since that REFUSED response from ns1 causes ns5 to return a
SERVFAIL answer to dig, example/TXT is added to the SERVFAIL cache,
which is enabled by default with a TTL of 1 second.  This in turn may
cause ns5 to return a cached SERVFAIL response to the second example/TXT
query sent by dig, i.e. make ns5 not perform full query processing as
expected by the check.

Since the primary purpose of the check in question is to ensure that key
refreshes are resumed once initially unavailable root servers become
available, the optimal solution appears to be disabling SERVFAIL cache
for ns5 as doing that still allows the check to fulfill its purpose and
it is arguably more prudent than always sleeping for 1 second.

(cherry picked from commit 7c6bff3c4e)
2019-03-05 13:25:04 -08:00
..
ns1 use algorithm 255 for both unsupported keys 2019-02-20 17:45:48 -08:00
ns2 add properly-formatted -D options to named.args files 2019-01-28 19:58:24 -08:00
ns3 add properly-formatted -D options to named.args files 2019-01-28 19:58:24 -08:00
ns4 Update license headers to not include years in copyright in all applicable files 2018-02-23 10:12:02 +01:00
ns5 Disable SERVFAIL cache for ns5 in the "mkeys" system test 2019-03-05 13:25:04 -08:00
ns6 Add tests for mkeys with unsupported algorithm 2019-02-20 17:45:47 -08:00
ns7 Add tests for mkeys with unsupported algorithm 2019-02-20 17:45:47 -08:00
clean.sh Add tests for mkeys with unsupported algorithm 2019-02-20 17:45:47 -08:00
README Add tests for mkeys with unsupported algorithm 2019-02-20 17:45:47 -08:00
setup.sh Add tests for mkeys with unsupported algorithm 2019-02-20 17:45:47 -08:00
tests.sh Add tests for mkeys with unsupported algorithm 2019-02-20 17:45:47 -08:00

README 

Copyright (C) Internet Systems Consortium, Inc. ("ISC")

See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

This is for testing managed-keys, in particular with problems
with RFC 5011 Automated Updates of DNSSEC Trust Anchors.

ns1 is the root server that offers new KSKs and hosts one record for
testing. The TTL for the zone's records is 2 seconds.

ns2 is a validator that uses managed-keys.  "-T mkeytimers=2/20/40"
is used so it will attempt do automated updates frequently. "-T tat=1"
is used so it will send TAT queries once per second.

ns3 is a validator with a broken key in managed-keys.

ns4 is a validator with a deliberately broken managed-keys.bind and
managed-keys.jnl, causing RFC 5011 initialization to fail.

ns5 is a validator which is prevented from getting a response from the
root server, causing key refresh queries to fail.

ns6 is a validator which has unsupported algorithms, one at start up,
one because of an algorithm rollover.