Merge branch 'kskroll-sentinel' into 'master'

Test draft-ietf-dnsop-kskroll-sentinel-00#section-2 See merge request !97

Merge branch 'kskroll-sentinel' into 'master'
Test draft-ietf-dnsop-kskroll-sentinel-00#section-2 See merge request !97
fc5657f6 · Petr Špaček · 387e8845 · 297d8e06 · fc5657f6 · fc5657f6
Commit fc5657f6 authored Jan 22, 2018 by Petr Špaček
20 changed files
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
-image: cznic/ci-debian-kresd
+image: $CI_REGISTRY/knot/knot-resolver/ci:debian-stable
 variables:
  LC_ALL: C.UTF-8


--- a/doc/scenario_guide.rst
+++ b/doc/scenario_guide.rst
@@ -416,6 +416,7 @@ Format is list of "key: value" pairs, one pair per line. There is no explicit st
 config option              default meaning
 ========================== ======= =====================================================================
 do-not-query-localhost     on      on = queries cannot be sent to 127.0.0.1/8 or ::1/128 addresses
+domain-insecure            (none)  domain name specifying DNS sub-tree with explicitly disabled DNSSEC validation
 force-ipv6                 off     use a IPv6 address as ``stub-addr``
 harden-glue                on      additional checks on glue addresses
 query-minimization         on      RFC 7816 query algorithm enabled; default inherited from QMIN environment variable

--- a/doc/user_guide.rst
+++ b/doc/user_guide.rst
@@ -190,6 +190,7 @@ DNS specifics:
 - ``HARDEN_GLUE``     [bool]_ - enables or disables additional checks on glue addresses
 - ``QMIN``            [bool]_ - enables or disables query minimization respectively
 - ``TRUST_ANCHORS`` - list of trust anchors in form of a DS records, see `scenario guide <doc/scenario_guide.rst>`_
+- ``NEGATIVE_TRUST_ANCHORS`` - list of domain names with explicitly disabled DNSSEC validation

 .. [bool] boolean expressed as string ``true``/``false``


--- a/pydnstest/scenario.py
+++ b/pydnstest/scenario.py
@@ -935,6 +935,7 @@ def parse_config(scn_cfg, qmin, installdir):
    sockfamily = 0  # auto-select value for socket.getaddrinfo
    trust_anchor_list = []
    trust_anchor_files = {}
+    negative_ta_list = []
    stub_addr = None
    override_timestamp = None

@@ -946,9 +947,11 @@ def parse_config(scn_cfg, qmin, installdir):
        # Enable selectively for some tests
        if k == 'do-not-query-localhost':
            do_not_query_localhost = str2bool(v)
-        if k == 'harden-glue':
+        elif k == 'domain-insecure':
+            negative_ta_list.append(v)
+        elif k == 'harden-glue':
            harden_glue = str2bool(v)
-        if k == 'query-minimization':
+        elif k == 'query-minimization':
            qmin = str2bool(v)
        elif k == 'trust-anchor':
            trust_anchor = v.strip('"\'')
@@ -1000,9 +1003,12 @@ def parse_config(scn_cfg, qmin, installdir):
                               % (v, str(ex)))
        elif k == 'force-ipv6' and v.upper() == 'TRUE':
            sockfamily = socket.AF_INET6
+        else:
+            raise NotImplementedError('unsupported CONFIG key "%s"' % k)

    ctx = {
        "DO_NOT_QUERY_LOCALHOST": str(do_not_query_localhost).lower(),
+        "NEGATIVE_TRUST_ANCHORS": negative_ta_list,
        "FEATURES": features,
        "HARDEN_GLUE": str(harden_glue).lower(),
        "INSTALL_DIR": installdir,

--- a/sets/resolver/iter_badraw.rpl
+++ b/sets/resolver/iter_badraw.rpl
-	name: "."
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_cname_badauth.rpl
+++ b/sets/resolver/iter_cname_badauth.rpl
 ; config options
-	target-fetch-policy: "3 2 1 0 0"
-	name: "."
+;	target-fetch-policy: "3 2 1 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_cname_cache.rpl
+++ b/sets/resolver/iter_cname_cache.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_cname_double.rpl
+++ b/sets/resolver/iter_cname_double.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_cname_nx.rpl
+++ b/sets/resolver/iter_cname_nx.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_cname_qnamecopy.rpl
+++ b/sets/resolver/iter_cname_qnamecopy.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_cycle.rpl
+++ b/sets/resolver/iter_cycle.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_cycle_noh.rpl
+++ b/sets/resolver/iter_cycle_noh.rpl
 ; config options
 	harden-glue: "no"
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_domain_sale.rpl
+++ b/sets/resolver/iter_domain_sale.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_domain_sale_nschange.rpl
+++ b/sets/resolver/iter_domain_sale_nschange.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_donotq127.rpl
+++ b/sets/resolver/iter_donotq127.rpl
 ; config options
-	name: "."
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_formerr.rpl
+++ b/sets/resolver/iter_formerr.rpl
 ; config options
-	harden-referral-path: no
-	target-fetch-policy: "0 0 0 0 0"
-        name: "."
+;	harden-referral-path: no
+;	target-fetch-policy: "0 0 0 0 0"
+;        name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_hint_lame.rpl
+++ b/sets/resolver/iter_hint_lame.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 	; minimization does not affect priming query
 	query-minimization: off

--- a/sets/resolver/iter_lame_aaaa.rpl
+++ b/sets/resolver/iter_lame_aaaa.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_lame_noaa.rpl
+++ b/sets/resolver/iter_lame_noaa.rpl
 ; config options
-	harden-referral-path: no
-	target-fetch-policy: "0 0 0 0 0"
-        name: "."
+;	harden-referral-path: no
+;	target-fetch-policy: "0 0 0 0 0"
+;        name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
 	; test with pre-scripted replies does not make sense with qmin
 	query-minimization: off

--- a/sets/resolver/iter_lame_nosoa.rpl
+++ b/sets/resolver/iter_lame_nosoa.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END