Merge branch 'kskroll-sentinel' into 'master'

Test draft-ietf-dnsop-kskroll-sentinel-00#section-2

See merge request !97

.gitlab-ci.yml

-image: cznic/ci-debian-kresd
+image: $CI_REGISTRY/knot/knot-resolver/ci:debian-stable
 variables:
   LC_ALL: C.UTF-8
 

doc/scenario_guide.rst

@@ -416,6 +416,7 @@ Format is list of "key: value" pairs, one pair per line. There is no explicit st
 config option              default meaning
 ========================== ======= =====================================================================
 do-not-query-localhost     on      on = queries cannot be sent to 127.0.0.1/8 or ::1/128 addresses
+domain-insecure            (none)  domain name specifying DNS sub-tree with explicitly disabled DNSSEC validation
 force-ipv6                 off     use a IPv6 address as ``stub-addr``
 harden-glue                on      additional checks on glue addresses
 query-minimization         on      RFC 7816 query algorithm enabled; default inherited from QMIN environment variable

doc/user_guide.rst

@@ -190,6 +190,7 @@ DNS specifics:
 - ``HARDEN_GLUE``     [bool]_ - enables or disables additional checks on glue addresses
 - ``QMIN``            [bool]_ - enables or disables query minimization respectively
 - ``TRUST_ANCHORS`` - list of trust anchors in form of a DS records, see `scenario guide <doc/scenario_guide.rst>`_
+- ``NEGATIVE_TRUST_ANCHORS`` - list of domain names with explicitly disabled DNSSEC validation
 
 .. [bool] boolean expressed as string ``true``/``false``
 

pydnstest/scenario.py

@@ -935,6 +935,7 @@ def parse_config(scn_cfg, qmin, installdir):
     sockfamily = 0  # auto-select value for socket.getaddrinfo
     trust_anchor_list = []
     trust_anchor_files = {}
+    negative_ta_list = []
     stub_addr = None
     override_timestamp = None
 
@@ -946,9 +947,11 @@ def parse_config(scn_cfg, qmin, installdir):
         # Enable selectively for some tests
         if k == 'do-not-query-localhost':
             do_not_query_localhost = str2bool(v)
-        if k == 'harden-glue':
+        elif k == 'domain-insecure':
+            negative_ta_list.append(v)
+        elif k == 'harden-glue':
             harden_glue = str2bool(v)
-        if k == 'query-minimization':
+        elif k == 'query-minimization':
             qmin = str2bool(v)
         elif k == 'trust-anchor':
             trust_anchor = v.strip('"\'')
@@ -1000,9 +1003,12 @@ def parse_config(scn_cfg, qmin, installdir):
                                % (v, str(ex)))
         elif k == 'force-ipv6' and v.upper() == 'TRUE':
             sockfamily = socket.AF_INET6
+        else:
+            raise NotImplementedError('unsupported CONFIG key "%s"' % k)
 
     ctx = {
         "DO_NOT_QUERY_LOCALHOST": str(do_not_query_localhost).lower(),
+        "NEGATIVE_TRUST_ANCHORS": negative_ta_list,
         "FEATURES": features,
         "HARDEN_GLUE": str(harden_glue).lower(),
         "INSTALL_DIR": installdir,

sets/resolver/iter_badraw.rpl

-	name: "."
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_cname_badauth.rpl

 ; config options
-	target-fetch-policy: "3 2 1 0 0"
-	name: "."
+;	target-fetch-policy: "3 2 1 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_cname_cache.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_cname_double.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_cname_nx.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_cname_qnamecopy.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_cycle.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_cycle_noh.rpl

 ; config options
 	harden-glue: "no"
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_domain_sale.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_domain_sale_nschange.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_donotq127.rpl

 ; config options
-	name: "."
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_formerr.rpl

 ; config options
-	harden-referral-path: no
-	target-fetch-policy: "0 0 0 0 0"
-        name: "."
+;	harden-referral-path: no
+;	target-fetch-policy: "0 0 0 0 0"
+;        name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_hint_lame.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 	; minimization does not affect priming query
 	query-minimization: off

sets/resolver/iter_lame_aaaa.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_lame_noaa.rpl

 ; config options
-	harden-referral-path: no
-	target-fetch-policy: "0 0 0 0 0"
-        name: "."
+;	harden-referral-path: no
+;	target-fetch-policy: "0 0 0 0 0"
+;        name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
 	; test with pre-scripted replies does not make sense with qmin
 	query-minimization: off

sets/resolver/iter_lame_nosoa.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_lamescrub.rpl

 ; config options
-	name: "."
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_minim_a.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
+;	target-fetch-policy: "0 0 0 0 0"
 	query-minimization: on
-	name: "."
+;	name: "."
 	stub-addr: 127.0.0.10 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_minim_a_nxdomain.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
+;	target-fetch-policy: "0 0 0 0 0"
 	query-minimization: on
-	name: "."
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_minim_nonempty.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
+;	target-fetch-policy: "0 0 0 0 0"
 	query-minimization: on
-	name: "."
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_minim_ns.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
+;	target-fetch-policy: "0 0 0 0 0"
 	query-minimization: on
-	name: "."
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_mod.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	module-config: "iterator"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	module-config: "iterator"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_multiple_A.rpl

 ; config options
 ; The island of trust is at example.com
-server:
+;server:
 	trust-anchor: "example.com.		IN DS 438 10 2 33F8133EB48EDB093839E985600EB7B7009EB5AC312D11CCA9007F6B 71D94D7B"
 	val-override-date: "20160308103040"
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.

sets/resolver/iter_ns_badaa.rpl

 ; config options
-	target-fetch-policy: "3 2 1 0 0"
-	name: "."
+;	target-fetch-policy: "3 2 1 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_ns_badglue.rpl

 ; config options
-	target-fetch-policy: "3 2 1 0 0"
-	name: "."
+;	target-fetch-policy: "3 2 1 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_ns_badip.rpl

 ; config options
-	target-fetch-policy: "3 2 1 0 0"
-	name: "."
+;	target-fetch-policy: "3 2 1 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_ns_noglue.rpl

 ; config options
-	target-fetch-policy: "3 2 1 0 0"
-	name: "."
+;	target-fetch-policy: "3 2 1 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_ns_spoof.rpl

 ; config options
-	harden-referral-path: yes
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	harden-referral-path: yes
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_pc_a.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_pc_aaaa.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_pcdirect.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_pclame.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_pcname.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_pcnamech.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_pcnamechrec.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_pcttl.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	do-ip6: no
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	do-ip6: no
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_reclame_one.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_reclame_two.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_recurse.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_refuse.rpl

 ; config options
-server:
+;server:
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_req_qname.rpl

 ; config options
-server:
-	target-fetch-policy: "0 0 0 0 0"
+;server:
+;	target-fetch-policy: "0 0 0 0 0"
 
-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_resolve.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_soamin.rpl

 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_tcbit.rpl

 ; config options
-	harden-referral-path: no
-	target-fetch-policy: "0 0 0 0 0"
-        name: "."
+;	harden-referral-path: no
+;	target-fetch-policy: "0 0 0 0 0"
+;        name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
 CONFIG_END
 

sets/resolver/iter_validate.rpl

 ; config options
-server:
+;server:
 	trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
 	val-override-timestamp: "1437625000"
 
-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 198.41.0.4 	# a.root-servers.net.
 CONFIG_END
 

sets/resolver/iter_validate_child_zone_noaddr.rpl

 ; config options
-server:
+;server:
 	trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
 	val-override-timestamp: "1441892800"
 	query-minimization: off
 
-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 198.41.0.4 	# a.root-servers.net.
 CONFIG_END
 

sets/resolver/iter_validate_extradata.rpl

 ; config options
-server:
+;server:
 	trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
 	val-override-timestamp: "1437625000"
 
-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 198.41.0.4 	# a.root-servers.net.
 CONFIG_END
 

sets/resolver/iter_validate_nsec_nxdomain.rpl

 ; config options
-server:
+;server:
 	trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
 	val-override-timestamp: "1438783903"
 	query-minimization: off
 
-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 198.41.0.4 	# a.root-servers.net.
 CONFIG_END
 

sets/resolver/nsec3_wildcard_no_data_response.rpl

 ; config options
-server:
+;server:
         stub-addr: 193.0.14.129
 	trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
 	val-override-timestamp: "1450794800"

sets/resolver/nsec_name_error_response-part2.rpl

 ; config options
-server:
+;server:
 	trust-anchor: ". 3600 IN DS 17272 13 4 B87AD8C76DC2244E7AA57285057BF533F2E248CC8D7E1A071D8A3837A711A5EA705C4707E6E8911DA653BE1AE019927B"
 	val-override-timestamp: "1442323400"
 	do-not-query-localhost: off
 
-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 127.0.0.1 	# ns.
 CONFIG_END
 

sets/resolver/nsec_name_error_response.rpl

 ; config options
-server:
+;server:
 	trust-anchor: ". 3600 IN DS 17272 13 4 B87AD8C76DC2244E7AA57285057BF533F2E248CC8D7E1A071D8A3837A711A5EA705C4707E6E8911DA653BE1AE019927B"
 	val-override-timestamp: "1442323400"
 	do-not-query-localhost: off
 
-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 127.0.0.1 	# ns.
 CONFIG_END
 

sets/resolver/nsec_no_data_response.rpl

 ; config options
-server:
+;server:
 	trust-anchor: ". 3600 IN DS 17272 13 4 B87AD8C76DC2244E7AA57285057BF533F2E248CC8D7E1A071D8A3837A711A5EA705C4707E6E8911DA653BE1AE019927B"
 	val-override-timestamp: "1442839270"
 	do-not-query-localhost: off
 
-stub-zone:
-	name: "."
+;stub-zone: