sematic-checks: use verification routines from dnssec-verify

src/knot/dnssec/context.c

@@ -309,10 +309,14 @@ int kdnssec_validation_ctx(conf_t *conf, kdnssec_ctx_t *ctx, const zone_contents
 	}
 
 	policy_from_zone(ctx->policy, zone);
-	conf_val_t policy_id = conf_zone_get(conf, C_DNSSEC_POLICY, zone->apex->owner);
-	conf_id_fix_default(&policy_id);
-	conf_val_t num_threads = conf_id_get(conf, C_POLICY, C_SIGNING_THREADS, &policy_id);
-	ctx->policy->signing_threads = conf_int(&num_threads);
+	if (conf != NULL) {
+		conf_val_t policy_id = conf_zone_get(conf, C_DNSSEC_POLICY, zone->apex->owner);
+		conf_id_fix_default(&policy_id);
+		conf_val_t num_threads = conf_id_get(conf, C_POLICY, C_SIGNING_THREADS, &policy_id);
+		ctx->policy->signing_threads = conf_int(&num_threads);
+	} else {
+		ctx->policy->signing_threads = 1;
+	}
 
 	int ret = kasp_zone_from_contents(ctx->zone, zone, ctx->policy->single_type_signing,
 	                                  ctx->policy->nsec3_enabled, &ctx->policy->nsec3_iterations,

tests/knot/semantic_check_data/no_error_nsec3_delegation.signed → tests/knot/semantic_check_data/delegation.signed

-; Zone without any semantic error
+; Delegation NS and glue signed despite mustn't.
 
 example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
 					2010111220 ; serial

tests/knot/test_semantic_check.in

@@ -95,34 +95,31 @@ expect_error "glue_apex_one.missing" 0 1 "$NS_GLUE"
 expect_error "glue_besides.missing" 0 1 "$NS_GLUE"
 expect_error "glue_deleg.missing" 0 1 "$NS_GLUE"
 expect_error "glue_in_apex.missing" 0 1 "$NS_GLUE"
-expect_error "different_signer_name.signed" 0 1 "$RRSIG_RDATA_DNSKEY_OWNER \(record type NSEC\)"
-expect_error "different_signer_name.signed" 0 1 "$RRSIG_UNVERIFIABLE \(record type NSEC\)"
-expect_error "no_rrsig.signed" 0 1 "$RRSIG_NO_RRSIG \(record type A\)"
-expect_error "no_rrsig.signed" 0 1 "$RRSIG_NO_RRSIG \(record type NSEC\)"
-expect_error "no_rrsig_with_delegation.signed" 0 1 "$RRSIG_NO_RRSIG \(record type NSEC\)"
+expect_error "different_signer_name.signed" 0 1 "$RRSIG_UNVERIFIABLE"
+expect_error "no_rrsig.signed" 0 1 "$RRSIG_UNVERIFIABLE"
+expect_error "no_rrsig_with_delegation.signed" 0 1 "$RRSIG_UNVERIFIABLE"
 expect_error "nsec_broken_chain_01.signed" 0 1 "$NSEC_RDATA_CHAIN"
 expect_error "nsec_broken_chain_02.signed" 0 1 "$NSEC_RDATA_CHAIN"
-expect_error "nsec_missing.signed" 0 1 "$NSEC_NONE"
-expect_error "nsec_multiple.signed" 0 1 "$NSEC_RDATA_MULTIPLE"
+expect_error "nsec_missing.signed" 0 1 "$NSEC_RDATA_BITMAP"
+expect_error "nsec_multiple.signed" 0 1 "$NSEC_RDATA_BITMAP"
 expect_error "nsec_wrong_bitmap_01.signed" 0 1 "$NSEC_RDATA_BITMAP"
 expect_error "nsec_wrong_bitmap_02.signed" 0 1 "$NSEC_RDATA_BITMAP"
-expect_error "nsec3_missing.signed" 0 1 "$NSEC3_NONE"
-expect_error "nsec3_optout_ent.invalid" 0 1 "$NSEC3_NONE"
-expect_error "nsec3_wrong_bitmap_01.signed" 0 1 "$NSEC3_RDATA_BITMAP"
-expect_error "nsec3_wrong_bitmap_02.signed" 0 1 "$NSEC3_RDATA_BITMAP"
-expect_error "nsec3_ds.signed" 0 1 "$NSEC3_NONE"
+expect_error "nsec3_missing.signed" 0 1 "$NSEC_RDATA_BITMAP"
+expect_error "nsec3_optout_ent.invalid" 0 1 "$NSEC_RDATA_BITMAP"
+expect_error "nsec3_wrong_bitmap_01.signed" 0 1 "$NSEC_RDATA_BITMAP"
+expect_error "nsec3_wrong_bitmap_02.signed" 0 1 "$NSEC_RDATA_BITMAP"
+expect_error "nsec3_ds.signed" 0 1 "$NSEC_RDATA_BITMAP"
 expect_error "nsec3_optout.signed" 0 1 "$NSEC3_INSECURE_DELEGATION_OPT"
-expect_error "nsec3_chain_01.signed" 0 1 "$NSEC3_RDATA_CHAIN"
-expect_error "nsec3_chain_02.signed" 0 2 "$NSEC3_RDATA_CHAIN"
-expect_error "nsec3_chain_03.signed" 0 2 "$NSEC3_RDATA_CHAIN"
-expect_error "nsec3_param_invalid.signed" 0 1 "$NSEC3_ALG"
-expect_error "nsec3_param_invalid.signed" 0 1 "$NSEC3_ITERS"
+expect_error "nsec3_chain_01.signed" 0 1 "$NSEC_RDATA_CHAIN"
+expect_error "nsec3_chain_02.signed" 0 1 "$NSEC_RDATA_CHAIN"
+expect_error "nsec3_chain_03.signed" 0 1 "$NSEC_RDATA_CHAIN"
+expect_error "nsec3_param_invalid.signed" 0 1 "$NSEC_RDATA_BITMAP"
 expect_error "nsec3_param_invalid.signed" 0 1 "$NSEC3PARAM_FLAGS"
-expect_error "rrsig_signed.signed" 0 1 "$RRSIG_SIGNED"
-expect_error "rrsig_rdata_ttl.signed" 0 1 "$RRSIG_RDATA_TTL \(record type A\)"
-expect_error "duplicate.signature" 0 7 "$RRSIG_EXPIRED"
-expect_error "missing.signed" 0 1 "$NSEC_NONE"
-expect_error "dnskey_param_error.signed" 0 1 "$DNSKEY_PROTO"
+expect_error "rrsig_signed.signed" 0 1 "$RRSIG_UNVERIFIABLE"
+expect_error "rrsig_rdata_ttl.signed" 0 1 "$RRSIG_UNVERIFIABLE"
+expect_error "duplicate.signature" 0 1 "$RRSIG_UNVERIFIABLE"
+expect_error "missing.signed" 0 1 "$NSEC_RDATA_BITMAP"
+expect_error "dnskey_param_error.signed" 0 1 "$RRSIG_UNVERIFIABLE" # FIXME this shall rather fail on invalid pubkey
 expect_error "invalid_ds.signed" 0 2 "$DS_ALG \(keytag 60485\)"
 expect_error "cdnskey.invalid" 0 1 "$CDS_NOT_MATCH"
 expect_error "cdnskey.invalid.param" 0 1 "$CDS_NOT_MATCH"
@@ -133,10 +130,10 @@ expect_error "cdnskey.orphan.cds" 0 1 "$CDS_NOT_MATCH"
 expect_error "cdnskey.orphan.cdnskey" 0 1 "$CDNSKEY_NO_CDS"
 expect_error "cdnskey.delete.invalid.cds" 0 1 "$CDNSKEY_DELETE"
 expect_error "cdnskey.delete.invalid.cdnskey" 0 1 "$CDNSKEY_DELETE"
+expect_error "delegation.signed" 0 1 "$NSEC_RDATA_BITMAP"
 
 test_correct "rrsig_ttl.signed"
 test_correct "no_error_delegation_bitmap.signed"
-test_correct "no_error_nsec3_delegation.signed"
 test_correct "no_error_nsec3_optout.signed"
 test_correct "glue_wildcard.valid"
 test_correct "glue_no_foreign.valid"
@@ -178,5 +175,6 @@ test_correct_no_dnssec "cdnskey.orphan.cds"
 test_correct_no_dnssec "cdnskey.orphan.cdnskey"
 test_correct_no_dnssec "cdnskey.delete.invalid.cds"
 test_correct_no_dnssec "cdnskey.delete.invalid.cdnskey"
+test_correct_no_dnssec "delegation.signed"
 
 rm $LOG