mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-13 06:02:37 -04:00
dcd1f5b842
The dnssec-must-be-secure feature was added in the early days of BIND 9 and DNSSEC and it makes sense only as a debugging feature. There are no reasons to keep this feature in the production code anymore. Remove the feature to simplify the code.
57 lines
1.5 KiB
Python
57 lines
1.5 KiB
Python
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
#
|
|
# SPDX-License-Identifier: MPL-2.0
|
|
#
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
#
|
|
# See the COPYRIGHT file distributed with this work for additional
|
|
# information regarding copyright ownership.
|
|
|
|
import dns.message
|
|
import pytest
|
|
|
|
import isctest
|
|
|
|
pytestmark = pytest.mark.extra_artifacts(
|
|
[
|
|
"ns*/K*",
|
|
"ns*/dsset-*",
|
|
"ns*/trusted.conf",
|
|
"ns*/*.signed",
|
|
"ns1/root.db",
|
|
"ns2/bad.db",
|
|
"ns2/good.db",
|
|
]
|
|
)
|
|
|
|
|
|
def test_dsdigest_good():
|
|
"""Check that validation with enabled digest types works"""
|
|
msg = dns.message.make_query("a.good.", "A", want_dnssec=True)
|
|
res = isctest.query.tcp(
|
|
msg,
|
|
"10.53.0.3",
|
|
)
|
|
isctest.check.noerror(res)
|
|
assert res.flags & dns.flags.AD
|
|
|
|
|
|
def test_dsdigest_insecure():
|
|
"""Check that validation with not supported digest algorithms is insecure"""
|
|
msg_ds = dns.message.make_query("bad.", "DS", want_dnssec=True)
|
|
res_ds = isctest.query.tcp(
|
|
msg_ds,
|
|
"10.53.0.4",
|
|
)
|
|
isctest.check.noerror(res_ds)
|
|
assert res_ds.flags & dns.flags.AD
|
|
|
|
msg_a = dns.message.make_query("a.bad.", "A", want_dnssec=True)
|
|
res_a = isctest.query.tcp(
|
|
msg_a,
|
|
"10.53.0.4",
|
|
)
|
|
isctest.check.noerror(res_a)
|
|
assert not res_a.flags & dns.flags.AD
|