Commit fc5657f6 authored by Petr Špaček's avatar Petr Špaček
Browse files

Merge branch 'kskroll-sentinel' into 'master'

Test draft-ietf-dnsop-kskroll-sentinel-00#section-2

See merge request !97
parents 387e8845 297d8e06
Pipeline #32103 failed with stage
in 1 minute
image: cznic/ci-debian-kresd
image: $CI_REGISTRY/knot/knot-resolver/ci:debian-stable
variables:
LC_ALL: C.UTF-8
......
......@@ -416,6 +416,7 @@ Format is list of "key: value" pairs, one pair per line. There is no explicit st
config option default meaning
========================== ======= =====================================================================
do-not-query-localhost on on = queries cannot be sent to 127.0.0.1/8 or ::1/128 addresses
domain-insecure (none) domain name specifying DNS sub-tree with explicitly disabled DNSSEC validation
force-ipv6 off use a IPv6 address as ``stub-addr``
harden-glue on additional checks on glue addresses
query-minimization on RFC 7816 query algorithm enabled; default inherited from QMIN environment variable
......
......@@ -190,6 +190,7 @@ DNS specifics:
- ``HARDEN_GLUE`` [bool]_ - enables or disables additional checks on glue addresses
- ``QMIN`` [bool]_ - enables or disables query minimization respectively
- ``TRUST_ANCHORS`` - list of trust anchors in form of a DS records, see `scenario guide <doc/scenario_guide.rst>`_
- ``NEGATIVE_TRUST_ANCHORS`` - list of domain names with explicitly disabled DNSSEC validation
.. [bool] boolean expressed as string ``true``/``false``
......
......@@ -935,6 +935,7 @@ def parse_config(scn_cfg, qmin, installdir):
sockfamily = 0 # auto-select value for socket.getaddrinfo
trust_anchor_list = []
trust_anchor_files = {}
negative_ta_list = []
stub_addr = None
override_timestamp = None
......@@ -946,9 +947,11 @@ def parse_config(scn_cfg, qmin, installdir):
# Enable selectively for some tests
if k == 'do-not-query-localhost':
do_not_query_localhost = str2bool(v)
if k == 'harden-glue':
elif k == 'domain-insecure':
negative_ta_list.append(v)
elif k == 'harden-glue':
harden_glue = str2bool(v)
if k == 'query-minimization':
elif k == 'query-minimization':
qmin = str2bool(v)
elif k == 'trust-anchor':
trust_anchor = v.strip('"\'')
......@@ -1000,9 +1003,12 @@ def parse_config(scn_cfg, qmin, installdir):
% (v, str(ex)))
elif k == 'force-ipv6' and v.upper() == 'TRUE':
sockfamily = socket.AF_INET6
else:
raise NotImplementedError('unsupported CONFIG key "%s"' % k)
ctx = {
"DO_NOT_QUERY_LOCALHOST": str(do_not_query_localhost).lower(),
"NEGATIVE_TRUST_ANCHORS": negative_ta_list,
"FEATURES": features,
"HARDEN_GLUE": str(harden_glue).lower(),
"INSTALL_DIR": installdir,
......
name: "."
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "3 2 1 0 0"
name: "."
; target-fetch-policy: "3 2 1 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
harden-glue: "no"
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
name: "."
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
harden-referral-path: no
target-fetch-policy: "0 0 0 0 0"
name: "."
; harden-referral-path: no
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
; minimization does not affect priming query
query-minimization: off
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
harden-referral-path: no
target-fetch-policy: "0 0 0 0 0"
name: "."
; harden-referral-path: no
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
; test with pre-scripted replies does not make sense with qmin
query-minimization: off
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
name: "."
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
; target-fetch-policy: "0 0 0 0 0"
query-minimization: on
name: "."
; name: "."
stub-addr: 127.0.0.10 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
; target-fetch-policy: "0 0 0 0 0"
query-minimization: on
name: "."
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
; target-fetch-policy: "0 0 0 0 0"
query-minimization: on
name: "."
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
; target-fetch-policy: "0 0 0 0 0"
query-minimization: on
name: "."
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
module-config: "iterator"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; module-config: "iterator"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
; The island of trust is at example.com
server:
;server:
trust-anchor: "example.com. IN DS 438 10 2 33F8133EB48EDB093839E985600EB7B7009EB5AC312D11CCA9007F6B 71D94D7B"
val-override-date: "20160308103040"
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
......
; config options
target-fetch-policy: "3 2 1 0 0"
name: "."
; target-fetch-policy: "3 2 1 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "3 2 1 0 0"
name: "."
; target-fetch-policy: "3 2 1 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "3 2 1 0 0"
name: "."
; target-fetch-policy: "3 2 1 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "3 2 1 0 0"
name: "."
; target-fetch-policy: "3 2 1 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
harden-referral-path: yes
target-fetch-policy: "0 0 0 0 0"
name: "."
; harden-referral-path: yes
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
do-ip6: no
name: "."
; target-fetch-policy: "0 0 0 0 0"
; do-ip6: no
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
server:
;server:
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
server:
target-fetch-policy: "0 0 0 0 0"
;server:
; target-fetch-policy: "0 0 0 0 0"
stub-zone:
name: "."
;stub-zone:
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
target-fetch-policy: "0 0 0 0 0"
name: "."
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
harden-referral-path: no
target-fetch-policy: "0 0 0 0 0"
name: "."
; harden-referral-path: no
; target-fetch-policy: "0 0 0 0 0"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
......
; config options
server:
;server:
trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
val-override-timestamp: "1437625000"
stub-zone:
name: "."
;stub-zone:
; name: "."
stub-addr: 198.41.0.4 # a.root-servers.net.
CONFIG_END
......
; config options
server:
;server:
trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
val-override-timestamp: "1441892800"
query-minimization: off
stub-zone:
name: "."
;stub-zone:
; name: "."
stub-addr: 198.41.0.4 # a.root-servers.net.
CONFIG_END
......
; config options
server:
;server:
trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
val-override-timestamp: "1437625000"
stub-zone:
name: "."
;stub-zone:
; name: "."
stub-addr: 198.41.0.4 # a.root-servers.net.
CONFIG_END
......
; config options
server:
;server:
trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
val-override-timestamp: "1438783903"
query-minimization: off
stub-zone:
name: "."
;stub-zone:
; name: "."
stub-addr: 198.41.0.4 # a.root-servers.net.
CONFIG_END
......
; config options
server:
;server:
stub-addr: 193.0.14.129
trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
val-override-timestamp: "1450794800"
......
; config options
server:
;server:
trust-anchor: ". 3600 IN DS 17272 13 4 B87AD8C76DC2244E7AA57285057BF533F2E248CC8D7E1A071D8A3837A711A5EA705C4707E6E8911DA653BE1AE019927B"
val-override-timestamp: "1442323400"
do-not-query-localhost: off
stub-zone:
name: "."
;stub-zone:
; name: "."
stub-addr: 127.0.0.1 # ns.
CONFIG_END
......
; config options
server:
;server:
trust-anchor: ". 3600 IN DS 17272 13 4 B87AD8C76DC2244E7AA57285057BF533F2E248CC8D7E1A071D8A3837A711A5EA705C4707E6E8911DA653BE1AE019927B"
val-override-timestamp: "1442323400"
do-not-query-localhost: off
stub-zone:
name: "."
;stub-zone:
; name: "."
stub-addr: 127.0.0.1 # ns.
CONFIG_END
......
; config options
server:
;server:
trust-anchor: ". 3600 IN DS 17272 13 4 B87AD8C76DC2244E7AA57285057BF533F2E248CC8D7E1A071D8A3837A711A5EA705C4707E6E8911DA653BE1AE019927B"
val-override-timestamp: "1442839270"
do-not-query-localhost: off
stub-zone:
name: "."
;stub-zone: