68 lines
1.8 KiB
Python
68 lines
1.8 KiB
Python
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
#
|
|
# SPDX-License-Identifier: MPL-2.0
|
|
#
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
#
|
|
# See the COPYRIGHT file distributed with this work for additional
|
|
# information regarding copyright ownership.
|
|
|
|
import dns.message
|
|
import pytest
|
|
|
|
import isctest
|
|
|
|
pytestmark = pytest.mark.extra_artifacts(
|
|
[
|
|
"ns*/K*",
|
|
"ns*/dsset-*",
|
|
"ns*/trusted.conf",
|
|
"ns*/*.signed",
|
|
"ns1/root.db",
|
|
"ns2/bad.db",
|
|
"ns2/good.db",
|
|
]
|
|
)
|
|
|
|
|
|
def test_dsdigest_good():
|
|
"""Check that validation with enabled digest types works"""
|
|
msg = dns.message.make_query("a.good.", "A", want_dnssec=True)
|
|
res = isctest.query.tcp(
|
|
msg,
|
|
"10.53.0.3",
|
|
)
|
|
isctest.check.noerror(res)
|
|
assert res.flags & dns.flags.AD
|
|
|
|
|
|
def test_dsdigest_bad():
|
|
"""Check that validation with not supported digest types
|
|
and "dnssec-must-be-secure yes;" results in SERVFAIL"""
|
|
msg = dns.message.make_query("a.bad.", "A", want_dnssec=True)
|
|
res = isctest.query.tcp(
|
|
msg,
|
|
"10.53.0.3",
|
|
)
|
|
isctest.check.servfail(res)
|
|
|
|
|
|
def test_dsdigest_insecure():
|
|
"""Check that validation with not supported digest algorithms is insecure"""
|
|
msg_ds = dns.message.make_query("bad.", "DS", want_dnssec=True)
|
|
res_ds = isctest.query.tcp(
|
|
msg_ds,
|
|
"10.53.0.4",
|
|
)
|
|
isctest.check.noerror(res_ds)
|
|
assert res_ds.flags & dns.flags.AD
|
|
|
|
msg_a = dns.message.make_query("a.bad.", "A", want_dnssec=True)
|
|
res_a = isctest.query.tcp(
|
|
msg_a,
|
|
"10.53.0.4",
|
|
)
|
|
isctest.check.noerror(res_a)
|
|
assert not res_a.flags & dns.flags.AD
|