1# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2# 3# SPDX-License-Identifier: MPL-2.0 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, you can obtain one at https://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12import dns.message 13 14import isctest 15 16 17def test_dsdigest_good(): 18 """Check that validation with enabled digest types works""" 19 msg = dns.message.make_query("a.good.", "A", want_dnssec=True) 20 res = isctest.query.tcp( 21 msg, 22 "10.53.0.3", 23 ) 24 isctest.check.noerror(res) 25 assert res.flags & dns.flags.AD 26 27 28def test_dsdigest_bad(): 29 """Check that validation with not supported digest types 30 and "dnssec-must-be-secure yes;" results in SERVFAIL""" 31 msg = dns.message.make_query("a.bad.", "A", want_dnssec=True) 32 res = isctest.query.tcp( 33 msg, 34 "10.53.0.3", 35 ) 36 isctest.check.servfail(res) 37 38 39def test_dsdigest_insecure(): 40 """Check that validation with not supported digest algorithms is insecure""" 41 msg_ds = dns.message.make_query("bad.", "DS", want_dnssec=True) 42 res_ds = isctest.query.tcp( 43 msg_ds, 44 "10.53.0.4", 45 ) 46 isctest.check.noerror(res_ds) 47 assert res_ds.flags & dns.flags.AD 48 49 msg_a = dns.message.make_query("a.bad.", "A", want_dnssec=True) 50 res_a = isctest.query.tcp( 51 msg_a, 52 "10.53.0.4", 53 ) 54 isctest.check.noerror(res_a) 55 assert not res_a.flags & dns.flags.AD 56