mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-26 08:39:00 -04:00
4e46453035
kasp-max-types-per-name (named2.conf.in): An unsigned zone with RR type count on a name right below the configured limit. Then sign the zone using KASP. Adding a RRSIG would push it over the RR type limit per name. Signing should fail, but the server should not crash, nor end up in infinite resign-attempt loop. kasp-max-records-per-type-dnskey (named1.conf.in): Test with low max-record-per-rrset limit and a DNSSEC policy requiring more than the limit. Signing should fail. kasp-max-types-per-name (named1.conf.in): Each RRSIG(covered type) is counted as an individual RR type. Test the corner case where a signed zone, which is just below the limit-1, adds a new type - doing so would trigger signing for the new type and thus increase the number of "types" by 2, pushing it over the limit again.
89 lines
2.1 KiB
Text
89 lines
2.1 KiB
Text
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* SPDX-License-Identifier: MPL-2.0
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
// NS4
|
|
|
|
options {
|
|
pid-file "named.pid";
|
|
listen-on port @PORT@ { 10.53.0.4; };
|
|
port @PORT@;
|
|
listen-on-v6 { none; };
|
|
recursion no;
|
|
notify no;
|
|
session-keyfile "session.key";
|
|
servfail-ttl 0;
|
|
dnssec-validation no;
|
|
|
|
/* Ridicously low on purpose */
|
|
max-records-per-type 1;
|
|
max-types-per-name 11;
|
|
};
|
|
|
|
key rndc_key {
|
|
secret "1234abcd8765";
|
|
algorithm @DEFAULT_HMAC@;
|
|
};
|
|
|
|
controls {
|
|
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
|
};
|
|
|
|
dnssec-policy "masterformat" {
|
|
keys {
|
|
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
|
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
|
};
|
|
};
|
|
|
|
/*
|
|
* This one should be okay, since the default policy only introduces one DNSKEY
|
|
* and each signature covering a different type is considered a separate RRset.
|
|
*/
|
|
zone "kasp-max-records-per-type" {
|
|
type primary;
|
|
file "kasp-max-records-per-type.db.raw";
|
|
masterfile-format raw;
|
|
dnssec-policy "default";
|
|
inline-signing no;
|
|
allow-update { any; };
|
|
allow-transfer { any; };
|
|
};
|
|
|
|
/*
|
|
* This one uses a ZSK / KSK, so that is two records in one RRset,
|
|
* thus it should fail to sign.
|
|
*/
|
|
zone "kasp-max-records-per-type-dnskey" {
|
|
type primary;
|
|
file "kasp-max-records-per-type-dnskey.db.raw";
|
|
masterfile-format raw;
|
|
dnssec-policy "masterformat";
|
|
inline-signing no;
|
|
allow-update { any; };
|
|
allow-transfer { any; };
|
|
};
|
|
|
|
/*
|
|
* The template zone is fine and should be possible to sign, but when
|
|
* adding an extra type to the apex the max-types-per-name will be exceeded,
|
|
* meaning the update should fail.
|
|
*/
|
|
zone "kasp-max-types-per-name" {
|
|
type primary;
|
|
file "kasp-max-types-per-name.db.raw";
|
|
masterfile-format raw;
|
|
dnssec-policy "default";
|
|
inline-signing no;
|
|
allow-update { any; };
|
|
allow-transfer { any; };
|
|
};
|