[PR #2409] [MERGED] conformance: DS of child's ZSK in parent zone #3020

New issue

Closed

opened 2026-03-16 11:20:57 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:20:57 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/2409
Author: @japaric
Created: 9/3/2024
Status: ✅ Merged
Merged: 9/5/2024
Merged by: @japaric

Base: main ← Head: ja-ds-of-zsk

📝 Commits (3)

5d77856 dns-test: refactor DNSKEY's RDATA into its own struct
f1f6dbe dns-test: also create a DS for ZSK
9990f7a conformance: DS of child's ZSK in parent zone

📊 Changes

8 files changed (+265 additions, -106 deletions)

View changed files

📝 conformance/packages/conformance-tests/src/resolver/dnssec/scenarios/bogus.rs (+5 -5)
📝 conformance/packages/conformance-tests/src/resolver/dnssec/scenarios/insecure.rs (+2 -2)
📝 conformance/packages/conformance-tests/src/resolver/dnssec/scenarios/secure.rs (+97 -1)
📝 conformance/packages/dns-test/src/name_server.rs (+35 -4)
📝 conformance/packages/dns-test/src/record.rs (+75 -54)
📝 conformance/packages/dns-test/src/trust_anchor.rs (+16 -9)
📝 conformance/packages/dns-test/src/zone_file/mod.rs (+21 -28)
📝 conformance/packages/dns-test/src/zone_file/signer.rs (+14 -3)

📄 Description

This is a new secure test that hickory fails ("false negative").

I came across this scenario trying to further investigate how much "ZSK vs KSK validation" happens in other resolvers. Although, resources in the internet recommend setting up auth name servers with two keys (ZSK + KSK); this scenario allows for single-key (only ZSK) deployments.

this PR depends on #2399

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/2409 **Author:** [@japaric](https://github.com/japaric) **Created:** 9/3/2024 **Status:** ✅ Merged **Merged:** 9/5/2024 **Merged by:** [@japaric](https://github.com/japaric) **Base:** `main` ← **Head:** `ja-ds-of-zsk` --- ### 📝 Commits (3) - [`5d77856`](https://github.com/hickory-dns/hickory-dns/commit/5d77856f482a74b117b9657bb5c8accfd88af0e3) dns-test: refactor DNSKEY's RDATA into its own struct - [`f1f6dbe`](https://github.com/hickory-dns/hickory-dns/commit/f1f6dbed5aa9343b9b89f766bac2108ea422a466) dns-test: also create a DS for ZSK - [`9990f7a`](https://github.com/hickory-dns/hickory-dns/commit/9990f7a62d6df66b5dbb3ece69285d2a61e02eb5) conformance: DS of child's ZSK in parent zone ### 📊 Changes **8 files changed** (+265 additions, -106 deletions) <details> <summary>View changed files</summary> 📝 `conformance/packages/conformance-tests/src/resolver/dnssec/scenarios/bogus.rs` (+5 -5) 📝 `conformance/packages/conformance-tests/src/resolver/dnssec/scenarios/insecure.rs` (+2 -2) 📝 `conformance/packages/conformance-tests/src/resolver/dnssec/scenarios/secure.rs` (+97 -1) 📝 `conformance/packages/dns-test/src/name_server.rs` (+35 -4) 📝 `conformance/packages/dns-test/src/record.rs` (+75 -54) 📝 `conformance/packages/dns-test/src/trust_anchor.rs` (+16 -9) 📝 `conformance/packages/dns-test/src/zone_file/mod.rs` (+21 -28) 📝 `conformance/packages/dns-test/src/zone_file/signer.rs` (+14 -3) </details> ### 📄 Description This is a new secure test that hickory fails ("false negative"). I came across this scenario trying to further investigate how much "ZSK vs KSK validation" happens in other resolvers. Although, resources in the internet recommend setting up auth name servers with two keys (ZSK + KSK); this scenario allows for single-key (only ZSK) deployments. this PR depends on #2399 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>