]>
Commit | Line | Data |
---|---|---|
30ee601a RG |
1 | #define BOOST_TEST_DYN_LINK |
2 | #define BOOST_TEST_NO_MAIN | |
3 | #include <boost/test/unit_test.hpp> | |
4 | ||
5 | #include "arguments.hh" | |
95823c07 | 6 | #include "base32.hh" |
8455425c RG |
7 | #include "dnssecinfra.hh" |
8 | #include "dnsseckeeper.hh" | |
30ee601a RG |
9 | #include "lua-recursor4.hh" |
10 | #include "namespaces.hh" | |
11 | #include "rec-lua-conf.hh" | |
12 | #include "root-dnssec.hh" | |
13 | #include "syncres.hh" | |
e503653f | 14 | #include "test-common.hh" |
6dfff36f | 15 | #include "utility.hh" |
30ee601a RG |
16 | #include "validate-recursor.hh" |
17 | ||
30ee601a RG |
18 | RecursorStats g_stats; |
19 | GlobalStateHolder<LuaConfigItems> g_luaconfs; | |
f26bf547 | 20 | thread_local std::unique_ptr<MemRecursorCache> t_RC{nullptr}; |
30ee601a | 21 | unsigned int g_numThreads = 1; |
c1c29961 | 22 | bool g_lowercaseOutgoing = false; |
30ee601a RG |
23 | |
24 | /* Fake some required functions we didn't want the trouble to | |
25 | link with */ | |
26 | ArgvMap &arg() | |
27 | { | |
28 | static ArgvMap theArg; | |
29 | return theArg; | |
30 | } | |
31 | ||
32 | int getMTaskerTID() | |
33 | { | |
34 | return 0; | |
35 | } | |
36 | ||
5899ee54 | 37 | bool RecursorLua4::preoutquery(const ComboAddress& ns, const ComboAddress& requestor, const DNSName& query, const QType& qtype, bool isTcp, vector<DNSRecord>& res, int& ret) const |
30ee601a RG |
38 | { |
39 | return false; | |
40 | } | |
41 | ||
3fe06137 | 42 | int asyncresolve(const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, const std::shared_ptr<std::vector<std::unique_ptr<RemoteLogger>>>& outgoingLoggers, const std::set<uint16_t>& exportTypes, LWResult* res, bool* chained) |
30ee601a RG |
43 | { |
44 | return 0; | |
45 | } | |
46 | ||
47 | /* primeHints() is only here for now because it | |
48 | was way too much trouble to link with the real one. | |
49 | We should fix this, empty functions are one thing, but this is | |
50 | bad. | |
51 | */ | |
52 | ||
53 | #include "root-addresses.hh" | |
54 | ||
55 | void primeHints(void) | |
56 | { | |
57 | vector<DNSRecord> nsset; | |
58 | if(!t_RC) | |
f26bf547 | 59 | t_RC = std::unique_ptr<MemRecursorCache>(new MemRecursorCache()); |
30ee601a RG |
60 | |
61 | DNSRecord arr, aaaarr, nsrr; | |
62 | nsrr.d_name=g_rootdnsname; | |
63 | arr.d_type=QType::A; | |
64 | aaaarr.d_type=QType::AAAA; | |
65 | nsrr.d_type=QType::NS; | |
66 | arr.d_ttl=aaaarr.d_ttl=nsrr.d_ttl=time(nullptr)+3600000; | |
67 | ||
68 | for(char c='a';c<='m';++c) { | |
e4f772ce | 69 | char templ[40]; |
30ee601a RG |
70 | strncpy(templ,"a.root-servers.net.", sizeof(templ) - 1); |
71 | templ[sizeof(templ)-1] = '\0'; | |
72 | *templ=c; | |
73 | aaaarr.d_name=arr.d_name=DNSName(templ); | |
74 | nsrr.d_content=std::make_shared<NSRecordContent>(DNSName(templ)); | |
75 | arr.d_content=std::make_shared<ARecordContent>(ComboAddress(rootIps4[c-'a'])); | |
76 | vector<DNSRecord> aset; | |
77 | aset.push_back(arr); | |
606accb0 | 78 | t_RC->replace(time(nullptr), DNSName(templ), QType(QType::A), aset, vector<std::shared_ptr<RRSIGRecordContent>>(), vector<std::shared_ptr<DNSRecord>>(), true); // auth, nuke it all |
30ee601a RG |
79 | if (rootIps6[c-'a'] != NULL) { |
80 | aaaarr.d_content=std::make_shared<AAAARecordContent>(ComboAddress(rootIps6[c-'a'])); | |
81 | ||
82 | vector<DNSRecord> aaaaset; | |
83 | aaaaset.push_back(aaaarr); | |
606accb0 | 84 | t_RC->replace(time(nullptr), DNSName(templ), QType(QType::AAAA), aaaaset, vector<std::shared_ptr<RRSIGRecordContent>>(), vector<std::shared_ptr<DNSRecord>>(), true); |
30ee601a RG |
85 | } |
86 | ||
87 | nsset.push_back(nsrr); | |
88 | } | |
606accb0 | 89 | t_RC->replace(time(nullptr), g_rootdnsname, QType(QType::NS), nsset, vector<std::shared_ptr<RRSIGRecordContent>>(), vector<std::shared_ptr<DNSRecord>>(), false); // and stuff in the cache |
30ee601a RG |
90 | } |
91 | ||
92 | LuaConfigItems::LuaConfigItems() | |
93 | { | |
94 | for (const auto &dsRecord : rootDSs) { | |
32122aab | 95 | auto ds=std::dynamic_pointer_cast<DSRecordContent>(DSRecordContent::make(dsRecord)); |
30ee601a RG |
96 | dsAnchors[g_rootdnsname].insert(*ds); |
97 | } | |
98 | } | |
99 | ||
100 | /* Some helpers functions */ | |
101 | ||
102 | static void init(bool debug=false) | |
103 | { | |
e6a9dde5 PL |
104 | g_log.setName("test"); |
105 | g_log.disableSyslog(true); | |
b4c8789a | 106 | |
30ee601a | 107 | if (debug) { |
e6a9dde5 PL |
108 | g_log.setLoglevel((Logger::Urgency)(6)); // info and up |
109 | g_log.toConsole(Logger::Info); | |
30ee601a | 110 | } |
b4c8789a | 111 | else { |
e6a9dde5 PL |
112 | g_log.setLoglevel(Logger::None); |
113 | g_log.toConsole(Logger::Error); | |
b4c8789a | 114 | } |
30ee601a | 115 | |
d6e797b8 | 116 | reportAllTypes(); |
30ee601a | 117 | |
f26bf547 | 118 | t_RC = std::unique_ptr<MemRecursorCache>(new MemRecursorCache()); |
30ee601a | 119 | |
30ee601a RG |
120 | SyncRes::s_maxqperq = 50; |
121 | SyncRes::s_maxtotusec = 1000*7000; | |
122 | SyncRes::s_maxdepth = 40; | |
123 | SyncRes::s_maxnegttl = 3600; | |
124 | SyncRes::s_maxcachettl = 86400; | |
125 | SyncRes::s_packetcachettl = 3600; | |
126 | SyncRes::s_packetcacheservfailttl = 60; | |
127 | SyncRes::s_serverdownmaxfails = 64; | |
128 | SyncRes::s_serverdownthrottletime = 60; | |
129 | SyncRes::s_doIPv6 = true; | |
e9f9b8ec RG |
130 | SyncRes::s_ecsipv4limit = 24; |
131 | SyncRes::s_ecsipv6limit = 56; | |
f58c8379 | 132 | SyncRes::s_rootNXTrust = true; |
d6e797b8 | 133 | SyncRes::s_minimumTTL = 0; |
648bcbd1 | 134 | SyncRes::s_serverID = "PowerDNS Unit Tests Server ID"; |
2fe3354d CH |
135 | SyncRes::clearEDNSLocalSubnets(); |
136 | SyncRes::addEDNSLocalSubnet("0.0.0.0/0"); | |
137 | SyncRes::addEDNSLocalSubnet("::/0"); | |
138 | SyncRes::clearEDNSRemoteSubnets(); | |
9065eb05 RG |
139 | SyncRes::clearEDNSDomains(); |
140 | SyncRes::clearDelegationOnly(); | |
141 | SyncRes::clearDontQuery(); | |
2fe3354d | 142 | SyncRes::setECSScopeZeroAddress(Netmask("127.0.0.1/32")); |
648bcbd1 | 143 | |
a712cb56 | 144 | SyncRes::clearNSSpeeds(); |
6dfff36f | 145 | BOOST_CHECK_EQUAL(SyncRes::getNSSpeedsSize(), 0); |
a712cb56 | 146 | SyncRes::clearEDNSStatuses(); |
6dfff36f | 147 | BOOST_CHECK_EQUAL(SyncRes::getEDNSStatusesSize(), 0); |
a712cb56 | 148 | SyncRes::clearThrottle(); |
6dfff36f | 149 | BOOST_CHECK_EQUAL(SyncRes::getThrottledServersSize(), 0); |
a712cb56 | 150 | SyncRes::clearFailedServers(); |
6dfff36f | 151 | BOOST_CHECK_EQUAL(SyncRes::getFailedServersSize(), 0); |
a712cb56 | 152 | |
648bcbd1 RG |
153 | auto luaconfsCopy = g_luaconfs.getCopy(); |
154 | luaconfsCopy.dfe.clear(); | |
8455425c RG |
155 | luaconfsCopy.dsAnchors.clear(); |
156 | for (const auto &dsRecord : rootDSs) { | |
32122aab | 157 | auto ds=std::dynamic_pointer_cast<DSRecordContent>(DSRecordContent::make(dsRecord)); |
8455425c RG |
158 | luaconfsCopy.dsAnchors[g_rootdnsname].insert(*ds); |
159 | } | |
160 | luaconfsCopy.negAnchors.clear(); | |
648bcbd1 RG |
161 | g_luaconfs.setState(luaconfsCopy); |
162 | ||
8455425c | 163 | g_dnssecmode = DNSSECMode::Off; |
895449a5 | 164 | g_dnssecLOG = debug; |
b7c40613 | 165 | g_maxNSEC3Iterations = 2500; |
8455425c | 166 | |
648bcbd1 | 167 | ::arg().set("version-string", "string reported on version.pdns or version.bind")="PowerDNS Unit Tests"; |
964ee532 RG |
168 | ::arg().set("rng")="auto"; |
169 | ::arg().set("entropy-source")="/dev/urandom"; | |
30ee601a RG |
170 | } |
171 | ||
895449a5 | 172 | static void initSR(std::unique_ptr<SyncRes>& sr, bool dnssec=false, bool debug=false, time_t fakeNow=0) |
30ee601a RG |
173 | { |
174 | struct timeval now; | |
d6e797b8 RG |
175 | if (fakeNow > 0) { |
176 | now.tv_sec = fakeNow; | |
177 | now.tv_usec = 0; | |
178 | } | |
179 | else { | |
180 | Utility::gettimeofday(&now, 0); | |
181 | } | |
182 | ||
895449a5 RG |
183 | init(debug); |
184 | ||
30ee601a | 185 | sr = std::unique_ptr<SyncRes>(new SyncRes(now)); |
895449a5 | 186 | sr->setDoEDNS0(true); |
0c43f455 RG |
187 | if (dnssec) { |
188 | sr->setDoDNSSEC(dnssec); | |
189 | } | |
190 | ||
895449a5 RG |
191 | sr->setLogMode(debug == false ? SyncRes::LogNone : SyncRes::Log); |
192 | ||
a712cb56 RG |
193 | SyncRes::setDomainMap(std::make_shared<SyncRes::domainmap_t>()); |
194 | SyncRes::clearNegCache(); | |
30ee601a RG |
195 | } |
196 | ||
0c43f455 RG |
197 | static void setDNSSECValidation(std::unique_ptr<SyncRes>& sr, const DNSSECMode& mode) |
198 | { | |
199 | sr->setDNSSECValidationRequested(true); | |
200 | g_dnssecmode = mode; | |
201 | } | |
202 | ||
269ac73d | 203 | static void setLWResult(LWResult* res, int rcode, bool aa=false, bool tc=false, bool edns=false, bool validpacket=true) |
30ee601a RG |
204 | { |
205 | res->d_rcode = rcode; | |
206 | res->d_aabit = aa; | |
207 | res->d_tcbit = tc; | |
208 | res->d_haveEDNS = edns; | |
269ac73d | 209 | res->d_validpacket = validpacket; |
30ee601a RG |
210 | } |
211 | ||
d6e797b8 RG |
212 | static void addRecordToLW(LWResult* res, const DNSName& name, uint16_t type, const std::string& content, DNSResourceRecord::Place place=DNSResourceRecord::ANSWER, uint32_t ttl=60) |
213 | { | |
214 | addRecordToList(res->d_records, name, type, content, place, ttl); | |
30ee601a RG |
215 | } |
216 | ||
217 | static void addRecordToLW(LWResult* res, const std::string& name, uint16_t type, const std::string& content, DNSResourceRecord::Place place=DNSResourceRecord::ANSWER, uint32_t ttl=60) | |
218 | { | |
219 | addRecordToLW(res, DNSName(name), type, content, place, ttl); | |
220 | } | |
221 | ||
222 | static bool isRootServer(const ComboAddress& ip) | |
223 | { | |
8455425c RG |
224 | if (ip.isIPv4()) { |
225 | for (size_t idx = 0; idx < rootIps4Count; idx++) { | |
226 | if (ip.toString() == rootIps4[idx]) { | |
227 | return true; | |
228 | } | |
30ee601a RG |
229 | } |
230 | } | |
8455425c RG |
231 | else { |
232 | for (size_t idx = 0; idx < rootIps6Count; idx++) { | |
233 | if (ip.toString() == rootIps6[idx]) { | |
234 | return true; | |
235 | } | |
30ee601a RG |
236 | } |
237 | } | |
8455425c | 238 | |
30ee601a RG |
239 | return false; |
240 | } | |
241 | ||
1e2e06f1 | 242 | static void computeRRSIG(const DNSSECPrivateKey& dpk, const DNSName& signer, const DNSName& signQName, uint16_t signQType, uint32_t signTTL, uint32_t sigValidity, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign, boost::optional<uint8_t> algo=boost::none, boost::optional<uint32_t> inception=boost::none, boost::optional<time_t> now=boost::none) |
8455425c | 243 | { |
1e2e06f1 RG |
244 | if (!now) { |
245 | now = time(nullptr); | |
246 | } | |
8455425c RG |
247 | DNSKEYRecordContent drc = dpk.getDNSKEY(); |
248 | const std::shared_ptr<DNSCryptoKeyEngine> rc = dpk.getKey(); | |
249 | ||
250 | rrc.d_type = signQType; | |
251 | rrc.d_labels = signQName.countLabels() - signQName.isWildcard(); | |
252 | rrc.d_originalttl = signTTL; | |
1e2e06f1 RG |
253 | rrc.d_siginception = inception ? *inception : (*now - 10); |
254 | rrc.d_sigexpire = *now + sigValidity; | |
8455425c RG |
255 | rrc.d_signer = signer; |
256 | rrc.d_tag = 0; | |
257 | rrc.d_tag = drc.getTag(); | |
3d5ebf10 | 258 | rrc.d_algorithm = algo ? *algo : drc.d_algorithm; |
8455425c RG |
259 | |
260 | std::string msg = getMessageForRRSET(signQName, rrc, toSign); | |
261 | ||
262 | rrc.d_signature = rc->sign(msg); | |
263 | } | |
264 | ||
b7f378d1 RG |
265 | typedef std::unordered_map<DNSName, std::pair<DNSSECPrivateKey, DSRecordContent> > testkeysset_t; |
266 | ||
1e2e06f1 | 267 | static bool addRRSIG(const testkeysset_t& keys, std::vector<DNSRecord>& records, const DNSName& signer, uint32_t sigValidity, bool broken=false, boost::optional<uint8_t> algo=boost::none, boost::optional<DNSName> wildcard=boost::none, boost::optional<time_t> now=boost::none) |
8455425c RG |
268 | { |
269 | if (records.empty()) { | |
5374b03b | 270 | return false; |
8455425c RG |
271 | } |
272 | ||
273 | const auto it = keys.find(signer); | |
274 | if (it == keys.cend()) { | |
86f1af1c | 275 | throw std::runtime_error("No DNSKEY found for " + signer.toLogString() + ", unable to compute the requested RRSIG"); |
8455425c RG |
276 | } |
277 | ||
278 | size_t recordsCount = records.size(); | |
279 | const DNSName& name = records[recordsCount-1].d_name; | |
280 | const uint16_t type = records[recordsCount-1].d_type; | |
281 | ||
282 | std::vector<std::shared_ptr<DNSRecordContent> > recordcontents; | |
283 | for (const auto record : records) { | |
284 | if (record.d_name == name && record.d_type == type) { | |
285 | recordcontents.push_back(record.d_content); | |
286 | } | |
287 | } | |
288 | ||
289 | RRSIGRecordContent rrc; | |
1e2e06f1 | 290 | computeRRSIG(it->second.first, signer, wildcard ? *wildcard : records[recordsCount-1].d_name, records[recordsCount-1].d_type, records[recordsCount-1].d_ttl, sigValidity, rrc, recordcontents, algo, boost::none, now); |
3d5ebf10 RG |
291 | if (broken) { |
292 | rrc.d_signature[0] ^= 42; | |
293 | } | |
8455425c RG |
294 | |
295 | DNSRecord rec; | |
dbbef467 | 296 | rec.d_type = QType::RRSIG; |
8455425c RG |
297 | rec.d_place = records[recordsCount-1].d_place; |
298 | rec.d_name = records[recordsCount-1].d_name; | |
dbbef467 | 299 | rec.d_ttl = records[recordsCount-1].d_ttl; |
8455425c RG |
300 | |
301 | rec.d_content = std::make_shared<RRSIGRecordContent>(rrc); | |
302 | records.push_back(rec); | |
5374b03b RG |
303 | |
304 | return true; | |
8455425c RG |
305 | } |
306 | ||
b7f378d1 | 307 | static void addDNSKEY(const testkeysset_t& keys, const DNSName& signer, uint32_t ttl, std::vector<DNSRecord>& records) |
8455425c RG |
308 | { |
309 | const auto it = keys.find(signer); | |
310 | if (it == keys.cend()) { | |
86f1af1c | 311 | throw std::runtime_error("No DNSKEY found for " + signer.toLogString()); |
8455425c RG |
312 | } |
313 | ||
314 | DNSRecord rec; | |
315 | rec.d_place = DNSResourceRecord::ANSWER; | |
316 | rec.d_name = signer; | |
317 | rec.d_type = QType::DNSKEY; | |
318 | rec.d_ttl = ttl; | |
319 | ||
b7f378d1 | 320 | rec.d_content = std::make_shared<DNSKEYRecordContent>(it->second.first.getDNSKEY()); |
8455425c RG |
321 | records.push_back(rec); |
322 | } | |
323 | ||
5374b03b | 324 | static bool addDS(const DNSName& domain, uint32_t ttl, std::vector<DNSRecord>& records, const testkeysset_t& keys, DNSResourceRecord::Place place=DNSResourceRecord::AUTHORITY) |
8455425c | 325 | { |
b7f378d1 RG |
326 | const auto it = keys.find(domain); |
327 | if (it == keys.cend()) { | |
5374b03b | 328 | return false; |
8455425c RG |
329 | } |
330 | ||
b7f378d1 RG |
331 | DNSRecord rec; |
332 | rec.d_name = domain; | |
333 | rec.d_type = QType::DS; | |
a53e8fe3 | 334 | rec.d_place = place; |
b7f378d1 RG |
335 | rec.d_ttl = ttl; |
336 | rec.d_content = std::make_shared<DSRecordContent>(it->second.second); | |
8455425c | 337 | |
b7f378d1 | 338 | records.push_back(rec); |
5374b03b | 339 | return true; |
8455425c RG |
340 | } |
341 | ||
342 | static void addNSECRecordToLW(const DNSName& domain, const DNSName& next, const std::set<uint16_t>& types, uint32_t ttl, std::vector<DNSRecord>& records) | |
343 | { | |
344 | NSECRecordContent nrc; | |
345 | nrc.d_next = next; | |
27d4a65b RG |
346 | for (const auto& type : types) { |
347 | nrc.set(type); | |
348 | } | |
8455425c RG |
349 | |
350 | DNSRecord rec; | |
351 | rec.d_name = domain; | |
352 | rec.d_ttl = ttl; | |
353 | rec.d_type = QType::NSEC; | |
27d4a65b | 354 | rec.d_content = std::make_shared<NSECRecordContent>(std::move(nrc)); |
8455425c RG |
355 | rec.d_place = DNSResourceRecord::AUTHORITY; |
356 | ||
357 | records.push_back(rec); | |
358 | } | |
359 | ||
95823c07 RG |
360 | static void addNSEC3RecordToLW(const DNSName& hashedName, const std::string& hashedNext, const std::string& salt, unsigned int iterations, const std::set<uint16_t>& types, uint32_t ttl, std::vector<DNSRecord>& records) |
361 | { | |
362 | NSEC3RecordContent nrc; | |
363 | nrc.d_algorithm = 1; | |
364 | nrc.d_flags = 0; | |
365 | nrc.d_iterations = iterations; | |
366 | nrc.d_salt = salt; | |
367 | nrc.d_nexthash = hashedNext; | |
27d4a65b RG |
368 | for (const auto& type : types) { |
369 | nrc.set(type); | |
370 | } | |
95823c07 RG |
371 | |
372 | DNSRecord rec; | |
373 | rec.d_name = hashedName; | |
374 | rec.d_ttl = ttl; | |
375 | rec.d_type = QType::NSEC3; | |
27d4a65b | 376 | rec.d_content = std::make_shared<NSEC3RecordContent>(std::move(nrc)); |
95823c07 RG |
377 | rec.d_place = DNSResourceRecord::AUTHORITY; |
378 | ||
379 | records.push_back(rec); | |
380 | } | |
381 | ||
b7c40613 | 382 | static void addNSEC3UnhashedRecordToLW(const DNSName& domain, const DNSName& zone, const std::string& next, const std::set<uint16_t>& types, uint32_t ttl, std::vector<DNSRecord>& records, unsigned int iterations=10) |
95823c07 RG |
383 | { |
384 | static const std::string salt = "deadbeef"; | |
95823c07 RG |
385 | std::string hashed = hashQNameWithSalt(salt, iterations, domain); |
386 | ||
9b061cf5 | 387 | addNSEC3RecordToLW(DNSName(toBase32Hex(hashed)) + zone, next, salt, iterations, types, ttl, records); |
95823c07 RG |
388 | } |
389 | ||
b7c40613 | 390 | static void addNSEC3NarrowRecordToLW(const DNSName& domain, const DNSName& zone, const std::set<uint16_t>& types, uint32_t ttl, std::vector<DNSRecord>& records, unsigned int iterations=10) |
95823c07 RG |
391 | { |
392 | static const std::string salt = "deadbeef"; | |
95823c07 | 393 | std::string hashed = hashQNameWithSalt(salt, iterations, domain); |
95823c07 RG |
394 | std::string hashedNext(hashed); |
395 | incrementHash(hashedNext); | |
396 | decrementHash(hashed); | |
397 | ||
9b061cf5 | 398 | addNSEC3RecordToLW(DNSName(toBase32Hex(hashed)) + zone, hashedNext, salt, iterations, types, ttl, records); |
95823c07 RG |
399 | } |
400 | ||
b7f378d1 | 401 | static void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys) |
8455425c RG |
402 | { |
403 | auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(algo)); | |
b7f378d1 | 404 | dcke->create((algo <= 10) ? 2048 : dcke->getBits()); |
8455425c RG |
405 | DNSSECPrivateKey dpk; |
406 | dpk.d_flags = 256; | |
407 | dpk.setKey(dcke); | |
8455425c | 408 | DSRecordContent ds = makeDSFromDNSKey(name, dpk.getDNSKEY(), digest); |
b7f378d1 RG |
409 | keys[name] = std::pair<DNSSECPrivateKey,DSRecordContent>(dpk,ds); |
410 | } | |
411 | ||
412 | static void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys, map<DNSName,dsmap_t>& dsAnchors) | |
413 | { | |
414 | generateKeyMaterial(name, algo, digest, keys); | |
415 | dsAnchors[name].insert(keys[name].second); | |
8455425c RG |
416 | } |
417 | ||
f4de85a3 | 418 | static int genericDSAndDNSKEYHandler(LWResult* res, const DNSName& domain, DNSName auth, int type, const testkeysset_t& keys, bool proveCut=true) |
5374b03b RG |
419 | { |
420 | if (type == QType::DS) { | |
421 | auth.chopOff(); | |
422 | ||
423 | setLWResult(res, 0, true, false, true); | |
424 | ||
425 | if (addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER)) { | |
426 | addRRSIG(keys, res->d_records, auth, 300); | |
427 | } | |
428 | else { | |
429 | addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); | |
430 | ||
431 | /* if the auth zone is signed, we need to provide a secure denial */ | |
432 | const auto it = keys.find(auth); | |
433 | if (it != keys.cend()) { | |
434 | /* sign the SOA */ | |
435 | addRRSIG(keys, res->d_records, auth, 300); | |
436 | /* add a NSEC denying the DS */ | |
f4de85a3 RG |
437 | std::set<uint16_t> types = { QType::NSEC }; |
438 | if (proveCut) { | |
439 | types.insert(QType::NS); | |
440 | } | |
441 | ||
442 | addNSECRecordToLW(domain, DNSName("z") + domain, types, 600, res->d_records); | |
5374b03b RG |
443 | addRRSIG(keys, res->d_records, auth, 300); |
444 | } | |
445 | } | |
446 | ||
447 | return 1; | |
448 | } | |
449 | ||
450 | if (type == QType::DNSKEY) { | |
451 | setLWResult(res, 0, true, false, true); | |
dbbef467 RG |
452 | addDNSKEY(keys, domain, 300, res->d_records); |
453 | addRRSIG(keys, res->d_records, domain, 300); | |
5374b03b RG |
454 | return 1; |
455 | } | |
456 | ||
457 | return 0; | |
458 | } | |
459 | ||
30ee601a RG |
460 | /* Real tests */ |
461 | ||
462 | BOOST_AUTO_TEST_SUITE(syncres_cc) | |
463 | ||
464 | BOOST_AUTO_TEST_CASE(test_root_primed) { | |
465 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 466 | initSR(sr); |
30ee601a RG |
467 | |
468 | primeHints(); | |
895449a5 | 469 | |
4d2be65d | 470 | const DNSName target("a.root-servers.net."); |
30ee601a | 471 | |
4d2be65d | 472 | /* we are primed, we should be able to resolve A a.root-servers.net. without any query */ |
30ee601a | 473 | vector<DNSRecord> ret; |
4d2be65d | 474 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); |
b7f378d1 | 475 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
4d2be65d RG |
476 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
477 | BOOST_CHECK(ret[0].d_type == QType::A); | |
478 | BOOST_CHECK_EQUAL(ret[0].d_name, target); | |
479 | ||
480 | ret.clear(); | |
481 | res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret); | |
b7f378d1 RG |
482 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
483 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
4d2be65d RG |
484 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
485 | BOOST_CHECK(ret[0].d_type == QType::AAAA); | |
486 | BOOST_CHECK_EQUAL(ret[0].d_name, target); | |
4d2be65d RG |
487 | } |
488 | ||
489 | BOOST_AUTO_TEST_CASE(test_root_primed_ns) { | |
490 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 491 | initSR(sr); |
4d2be65d RG |
492 | |
493 | primeHints(); | |
494 | const DNSName target("."); | |
495 | ||
496 | /* we are primed, but we should not be able to NS . without any query | |
497 | because the . NS entry is not stored as authoritative */ | |
498 | ||
499 | size_t queriesCount = 0; | |
500 | ||
0bd2e252 | 501 | sr->setAsyncCallback([target,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
4d2be65d RG |
502 | queriesCount++; |
503 | ||
504 | if (domain == target && type == QType::NS) { | |
505 | ||
506 | setLWResult(res, 0, true, false, true); | |
8455425c | 507 | char addr[] = "a.root-servers.net."; |
4d2be65d | 508 | for (char idx = 'a'; idx <= 'm'; idx++) { |
8455425c RG |
509 | addr[0] = idx; |
510 | addRecordToLW(res, g_rootdnsname, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600); | |
4d2be65d RG |
511 | } |
512 | ||
513 | addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600); | |
514 | addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600); | |
515 | ||
516 | return 1; | |
517 | } | |
518 | ||
519 | return 0; | |
520 | }); | |
521 | ||
522 | vector<DNSRecord> ret; | |
523 | int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
b7f378d1 | 524 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
4d2be65d RG |
525 | BOOST_REQUIRE_EQUAL(ret.size(), 13); |
526 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
30ee601a RG |
527 | } |
528 | ||
529 | BOOST_AUTO_TEST_CASE(test_root_not_primed) { | |
530 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 531 | initSR(sr); |
30ee601a RG |
532 | |
533 | size_t queriesCount = 0; | |
534 | ||
0bd2e252 | 535 | sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
30ee601a RG |
536 | queriesCount++; |
537 | ||
538 | if (domain == g_rootdnsname && type == QType::NS) { | |
539 | setLWResult(res, 0, true, false, true); | |
540 | addRecordToLW(res, g_rootdnsname, QType::NS, "a.root-servers.net.", DNSResourceRecord::ANSWER, 3600); | |
541 | addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600); | |
542 | addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600); | |
543 | ||
544 | return 1; | |
545 | } | |
546 | ||
547 | return 0; | |
548 | }); | |
549 | ||
550 | /* we are not primed yet, so SyncRes will have to call primeHints() | |
551 | then call getRootNS(), for which at least one of the root servers needs to answer */ | |
552 | vector<DNSRecord> ret; | |
553 | int res = sr->beginResolve(DNSName("."), QType(QType::NS), QClass::IN, ret); | |
b7f378d1 | 554 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
30ee601a RG |
555 | BOOST_CHECK_EQUAL(ret.size(), 1); |
556 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
557 | } | |
558 | ||
559 | BOOST_AUTO_TEST_CASE(test_root_not_primed_and_no_response) { | |
560 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 561 | initSR(sr); |
30ee601a RG |
562 | std::set<ComboAddress> downServers; |
563 | ||
564 | /* we are not primed yet, so SyncRes will have to call primeHints() | |
565 | then call getRootNS(), for which at least one of the root servers needs to answer. | |
566 | None will, so it should ServFail. | |
567 | */ | |
0bd2e252 | 568 | sr->setAsyncCallback([&downServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
30ee601a RG |
569 | |
570 | downServers.insert(ip); | |
571 | return 0; | |
572 | }); | |
573 | ||
574 | vector<DNSRecord> ret; | |
575 | int res = sr->beginResolve(DNSName("."), QType(QType::NS), QClass::IN, ret); | |
f58c8379 | 576 | BOOST_CHECK_EQUAL(res, RCode::ServFail); |
30ee601a RG |
577 | BOOST_CHECK_EQUAL(ret.size(), 0); |
578 | BOOST_CHECK(downServers.size() > 0); | |
579 | /* we explicitly refuse to mark the root servers down */ | |
580 | for (const auto& server : downServers) { | |
a712cb56 | 581 | BOOST_CHECK_EQUAL(SyncRes::getServerFailsCount(server), 0); |
30ee601a RG |
582 | } |
583 | } | |
584 | ||
585 | BOOST_AUTO_TEST_CASE(test_edns_formerr_fallback) { | |
586 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 587 | initSR(sr); |
30ee601a RG |
588 | |
589 | ComboAddress noEDNSServer; | |
590 | size_t queriesWithEDNS = 0; | |
591 | size_t queriesWithoutEDNS = 0; | |
592 | ||
0bd2e252 | 593 | sr->setAsyncCallback([&queriesWithEDNS, &queriesWithoutEDNS, &noEDNSServer](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
30ee601a RG |
594 | if (EDNS0Level != 0) { |
595 | queriesWithEDNS++; | |
596 | noEDNSServer = ip; | |
597 | ||
598 | setLWResult(res, RCode::FormErr); | |
599 | return 1; | |
600 | } | |
601 | ||
602 | queriesWithoutEDNS++; | |
603 | ||
604 | if (domain == DNSName("powerdns.com") && type == QType::A && !doTCP) { | |
605 | setLWResult(res, 0, true, false, false); | |
606 | addRecordToLW(res, domain, QType::A, "192.0.2.1"); | |
607 | return 1; | |
608 | } | |
609 | ||
610 | return 0; | |
611 | }); | |
612 | ||
613 | primeHints(); | |
614 | ||
615 | /* fake that the root NS doesn't handle EDNS, check that we fallback */ | |
616 | vector<DNSRecord> ret; | |
617 | int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 618 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
30ee601a RG |
619 | BOOST_CHECK_EQUAL(ret.size(), 1); |
620 | BOOST_CHECK_EQUAL(queriesWithEDNS, 1); | |
621 | BOOST_CHECK_EQUAL(queriesWithoutEDNS, 1); | |
a712cb56 RG |
622 | BOOST_CHECK_EQUAL(SyncRes::getEDNSStatusesSize(), 1); |
623 | BOOST_CHECK_EQUAL(SyncRes::getEDNSStatus(noEDNSServer), SyncRes::EDNSStatus::NOEDNS); | |
30ee601a RG |
624 | } |
625 | ||
27ae17df RG |
626 | BOOST_AUTO_TEST_CASE(test_edns_formerr_but_edns_enabled) { |
627 | std::unique_ptr<SyncRes> sr; | |
628 | initSR(sr); | |
629 | ||
630 | /* in this test, the auth answers with FormErr to an EDNS-enabled | |
631 | query, but the response does contain EDNS so we should not mark | |
632 | it as EDNS ignorant or intolerant. | |
633 | */ | |
634 | size_t queriesWithEDNS = 0; | |
635 | size_t queriesWithoutEDNS = 0; | |
636 | std::set<ComboAddress> usedServers; | |
637 | ||
638 | sr->setAsyncCallback([&queriesWithEDNS, &queriesWithoutEDNS, &usedServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { | |
639 | ||
640 | if (EDNS0Level > 0) { | |
641 | queriesWithEDNS++; | |
642 | } | |
643 | else { | |
644 | queriesWithoutEDNS++; | |
645 | } | |
646 | usedServers.insert(ip); | |
647 | ||
648 | if (type == QType::DNAME) { | |
649 | setLWResult(res, RCode::FormErr); | |
650 | if (EDNS0Level > 0) { | |
651 | res->d_haveEDNS = true; | |
652 | } | |
653 | return 1; | |
654 | } | |
655 | ||
656 | return 0; | |
657 | }); | |
658 | ||
659 | primeHints(); | |
660 | ||
661 | vector<DNSRecord> ret; | |
662 | int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::DNAME), QClass::IN, ret); | |
663 | BOOST_CHECK_EQUAL(res, RCode::ServFail); | |
664 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
665 | BOOST_CHECK_EQUAL(queriesWithEDNS, 26); | |
666 | BOOST_CHECK_EQUAL(queriesWithoutEDNS, 0); | |
667 | BOOST_CHECK_EQUAL(SyncRes::getEDNSStatusesSize(), 26); | |
668 | BOOST_CHECK_EQUAL(usedServers.size(), 26); | |
669 | for (const auto& server : usedServers) { | |
670 | BOOST_CHECK_EQUAL(SyncRes::getEDNSStatus(server), SyncRes::EDNSStatus::EDNSOK); | |
671 | } | |
672 | } | |
673 | ||
25e654f7 RG |
674 | BOOST_AUTO_TEST_CASE(test_meta_types) { |
675 | std::unique_ptr<SyncRes> sr; | |
676 | initSR(sr); | |
677 | ||
678 | static const std::set<uint16_t> invalidTypes = { 128, QType::AXFR, QType::IXFR, QType::RRSIG, QType::NSEC3, QType::OPT, QType::TSIG, QType::TKEY, QType::MAILA, QType::MAILB, 65535 }; | |
679 | ||
680 | for (const auto qtype : invalidTypes) { | |
681 | size_t queriesCount = 0; | |
682 | ||
683 | sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { | |
684 | ||
685 | queriesCount++; | |
686 | return 0; | |
687 | }); | |
688 | ||
689 | primeHints(); | |
690 | ||
691 | vector<DNSRecord> ret; | |
692 | int res = sr->beginResolve(DNSName("powerdns.com."), QType(qtype), QClass::IN, ret); | |
693 | BOOST_CHECK_EQUAL(res, -1); | |
694 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
695 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
696 | } | |
697 | } | |
698 | ||
30ee601a RG |
699 | BOOST_AUTO_TEST_CASE(test_tc_fallback_to_tcp) { |
700 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 701 | initSR(sr); |
30ee601a | 702 | |
0bd2e252 | 703 | sr->setAsyncCallback([](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
30ee601a RG |
704 | if (!doTCP) { |
705 | setLWResult(res, 0, false, true, false); | |
706 | return 1; | |
707 | } | |
708 | if (domain == DNSName("powerdns.com") && type == QType::A && doTCP) { | |
709 | setLWResult(res, 0, true, false, false); | |
710 | addRecordToLW(res, domain, QType::A, "192.0.2.1"); | |
711 | return 1; | |
712 | } | |
713 | ||
714 | return 0; | |
715 | }); | |
716 | ||
717 | primeHints(); | |
718 | ||
719 | /* fake that the NS truncates every request over UDP, we should fallback to TCP */ | |
720 | vector<DNSRecord> ret; | |
721 | int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 722 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
30ee601a RG |
723 | } |
724 | ||
3337c2f7 RG |
725 | BOOST_AUTO_TEST_CASE(test_tc_over_tcp) { |
726 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 727 | initSR(sr); |
3337c2f7 RG |
728 | |
729 | size_t tcpQueriesCount = 0; | |
730 | ||
0bd2e252 | 731 | sr->setAsyncCallback([&tcpQueriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3337c2f7 RG |
732 | if (!doTCP) { |
733 | setLWResult(res, 0, true, true, false); | |
734 | return 1; | |
735 | } | |
736 | ||
737 | /* first TCP query is answered with a TC response */ | |
738 | tcpQueriesCount++; | |
739 | if (tcpQueriesCount == 1) { | |
740 | setLWResult(res, 0, true, true, false); | |
741 | } | |
742 | else { | |
743 | setLWResult(res, 0, true, false, false); | |
744 | } | |
745 | ||
746 | addRecordToLW(res, domain, QType::A, "192.0.2.1"); | |
747 | return 1; | |
748 | }); | |
749 | ||
750 | primeHints(); | |
751 | ||
752 | vector<DNSRecord> ret; | |
753 | int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 754 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
3337c2f7 RG |
755 | BOOST_CHECK_EQUAL(tcpQueriesCount, 2); |
756 | } | |
757 | ||
30ee601a RG |
758 | BOOST_AUTO_TEST_CASE(test_all_nss_down) { |
759 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 760 | initSR(sr); |
30ee601a RG |
761 | std::set<ComboAddress> downServers; |
762 | ||
763 | primeHints(); | |
764 | ||
0bd2e252 | 765 | sr->setAsyncCallback([&downServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
30ee601a RG |
766 | |
767 | if (isRootServer(ip)) { | |
8455425c | 768 | setLWResult(res, 0, false, false, true); |
30ee601a RG |
769 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
770 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
771 | addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600); | |
772 | return 1; | |
773 | } | |
774 | else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) { | |
8455425c | 775 | setLWResult(res, 0, false, false, true); |
30ee601a RG |
776 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); |
777 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); | |
778 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800); | |
779 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800); | |
780 | addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800); | |
781 | addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800); | |
782 | return 1; | |
783 | } | |
784 | else { | |
785 | downServers.insert(ip); | |
786 | return 0; | |
787 | } | |
788 | }); | |
789 | ||
ccb07d93 RG |
790 | DNSName target("powerdns.com."); |
791 | ||
30ee601a | 792 | vector<DNSRecord> ret; |
ccb07d93 | 793 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); |
f58c8379 | 794 | BOOST_CHECK_EQUAL(res, RCode::ServFail); |
30ee601a RG |
795 | BOOST_CHECK_EQUAL(ret.size(), 0); |
796 | BOOST_CHECK_EQUAL(downServers.size(), 4); | |
797 | ||
606accb0 | 798 | time_t now = sr->getNow().tv_sec; |
30ee601a | 799 | for (const auto& server : downServers) { |
a712cb56 | 800 | BOOST_CHECK_EQUAL(SyncRes::getServerFailsCount(server), 1); |
606accb0 | 801 | BOOST_CHECK(SyncRes::isThrottled(now, server, target, QType::A)); |
30ee601a RG |
802 | } |
803 | } | |
804 | ||
648bcbd1 RG |
805 | BOOST_AUTO_TEST_CASE(test_all_nss_network_error) { |
806 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 807 | initSR(sr); |
648bcbd1 RG |
808 | std::set<ComboAddress> downServers; |
809 | ||
810 | primeHints(); | |
811 | ||
0bd2e252 | 812 | sr->setAsyncCallback([&downServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
648bcbd1 RG |
813 | |
814 | if (isRootServer(ip)) { | |
8455425c | 815 | setLWResult(res, 0, false, false, true); |
648bcbd1 RG |
816 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
817 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
818 | addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600); | |
819 | return 1; | |
820 | } | |
821 | else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) { | |
8455425c | 822 | setLWResult(res, 0, false, false, true); |
648bcbd1 RG |
823 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); |
824 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); | |
825 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800); | |
826 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800); | |
827 | addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800); | |
828 | addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800); | |
829 | return 1; | |
830 | } | |
831 | else { | |
832 | downServers.insert(ip); | |
b4c8789a | 833 | return 0; |
648bcbd1 RG |
834 | } |
835 | }); | |
836 | ||
837 | /* exact same test than the previous one, except instead of a time out we fake a network error */ | |
838 | DNSName target("powerdns.com."); | |
839 | ||
840 | vector<DNSRecord> ret; | |
841 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
842 | BOOST_CHECK_EQUAL(res, RCode::ServFail); | |
843 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
844 | BOOST_CHECK_EQUAL(downServers.size(), 4); | |
845 | ||
606accb0 | 846 | time_t now = sr->getNow().tv_sec; |
648bcbd1 | 847 | for (const auto& server : downServers) { |
a712cb56 | 848 | BOOST_CHECK_EQUAL(SyncRes::getServerFailsCount(server), 1); |
606accb0 | 849 | BOOST_CHECK(SyncRes::isThrottled(now, server, target, QType::A)); |
648bcbd1 RG |
850 | } |
851 | } | |
852 | ||
b4c8789a RG |
853 | BOOST_AUTO_TEST_CASE(test_only_one_ns_up_resolving_itself_with_glue) { |
854 | std::unique_ptr<SyncRes> sr; | |
855 | initSR(sr); | |
856 | ||
857 | primeHints(); | |
858 | ||
859 | DNSName target("www.powerdns.com."); | |
860 | ||
0bd2e252 | 861 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
b4c8789a RG |
862 | |
863 | if (isRootServer(ip)) { | |
864 | setLWResult(res, 0, false, false, true); | |
865 | if (domain == target) { | |
866 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); | |
867 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.net.", DNSResourceRecord::AUTHORITY, 172800); | |
868 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800); | |
869 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800); | |
870 | } | |
871 | else if (domain == DNSName("pdns-public-ns2.powerdns.net.")) { | |
872 | addRecordToLW(res, "powerdns.net.", QType::NS, "pdns-public-ns2.powerdns.net.", DNSResourceRecord::AUTHORITY, 172800); | |
873 | addRecordToLW(res, "powerdns.net.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); | |
874 | addRecordToLW(res, "pdns-public-ns2.powerdns.net.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800); | |
875 | addRecordToLW(res, "pdns-public-ns2.powerdns.net.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800); | |
876 | } | |
877 | return 1; | |
878 | } | |
879 | else if (ip == ComboAddress("192.0.2.3:53")) { | |
880 | setLWResult(res, 0, true, false, true); | |
881 | if (domain == DNSName("pdns-public-ns2.powerdns.net.")) { | |
882 | if (type == QType::A) { | |
883 | addRecordToLW(res, "pdns-public-ns2.powerdns.net.", QType::A, "192.0.2.3"); | |
884 | } | |
885 | else if (type == QType::AAAA) { | |
886 | addRecordToLW(res, "pdns-public-ns2.powerdns.net.", QType::AAAA, "2001:DB8::3"); | |
887 | } | |
888 | } | |
889 | else if (domain == target) { | |
890 | if (type == QType::A) { | |
891 | addRecordToLW(res, domain, QType::A, "192.0.2.1"); | |
892 | } | |
893 | else if (type == QType::AAAA) { | |
894 | addRecordToLW(res, domain, QType::AAAA, "2001:DB8::1"); | |
895 | } | |
896 | } | |
897 | return 1; | |
898 | } | |
899 | return 0; | |
900 | }); | |
901 | ||
902 | vector<DNSRecord> ret; | |
903 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
904 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
905 | BOOST_CHECK_EQUAL(ret.size(), 1); | |
906 | } | |
907 | ||
648bcbd1 RG |
908 | BOOST_AUTO_TEST_CASE(test_os_limit_errors) { |
909 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 910 | initSR(sr); |
648bcbd1 RG |
911 | std::set<ComboAddress> downServers; |
912 | ||
913 | primeHints(); | |
914 | ||
0bd2e252 | 915 | sr->setAsyncCallback([&downServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
648bcbd1 RG |
916 | |
917 | if (isRootServer(ip)) { | |
8455425c | 918 | setLWResult(res, 0, false, false, true); |
648bcbd1 RG |
919 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
920 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
921 | addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600); | |
922 | return 1; | |
923 | } | |
924 | else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) { | |
8455425c | 925 | setLWResult(res, 0, false, false, true); |
648bcbd1 RG |
926 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); |
927 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); | |
928 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800); | |
929 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800); | |
930 | addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800); | |
931 | addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800); | |
932 | return 1; | |
933 | } | |
934 | else { | |
935 | if (downServers.size() < 3) { | |
936 | /* only the last one will answer */ | |
937 | downServers.insert(ip); | |
938 | return -2; | |
939 | } | |
940 | else { | |
941 | setLWResult(res, 0, true, false, true); | |
942 | addRecordToLW(res, "powerdns.com.", QType::A, "192.0.2.42"); | |
943 | return 1; | |
944 | } | |
945 | } | |
946 | }); | |
947 | ||
948 | DNSName target("powerdns.com."); | |
949 | ||
950 | vector<DNSRecord> ret; | |
951 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 952 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
953 | BOOST_CHECK_EQUAL(ret.size(), 1); |
954 | BOOST_CHECK_EQUAL(downServers.size(), 3); | |
955 | ||
956 | /* Error is reported as "OS limit error" (-2) so the servers should _NOT_ be marked down */ | |
606accb0 | 957 | time_t now = sr->getNow().tv_sec; |
648bcbd1 | 958 | for (const auto& server : downServers) { |
a712cb56 | 959 | BOOST_CHECK_EQUAL(SyncRes::getServerFailsCount(server), 0); |
606accb0 | 960 | BOOST_CHECK(!SyncRes::isThrottled(now, server, target, QType::A)); |
648bcbd1 RG |
961 | } |
962 | } | |
963 | ||
30ee601a RG |
964 | BOOST_AUTO_TEST_CASE(test_glued_referral) { |
965 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 966 | initSR(sr); |
30ee601a RG |
967 | |
968 | primeHints(); | |
969 | ||
970 | const DNSName target("powerdns.com."); | |
971 | ||
0bd2e252 | 972 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
30ee601a RG |
973 | /* this will cause issue with qname minimization if we ever implement it */ |
974 | if (domain != target) { | |
975 | return 0; | |
976 | } | |
977 | ||
978 | if (isRootServer(ip)) { | |
8455425c | 979 | setLWResult(res, 0, false, false, true); |
30ee601a RG |
980 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
981 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
982 | addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600); | |
983 | return 1; | |
984 | } | |
985 | else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) { | |
8455425c | 986 | setLWResult(res, 0, false, false, true); |
30ee601a RG |
987 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); |
988 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); | |
989 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800); | |
990 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800); | |
991 | addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800); | |
992 | addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800); | |
993 | return 1; | |
994 | } | |
995 | else if (ip == ComboAddress("192.0.2.2:53") || ip == ComboAddress("192.0.2.3:53") || ip == ComboAddress("[2001:DB8::2]:53") || ip == ComboAddress("[2001:DB8::3]:53")) { | |
996 | setLWResult(res, 0, true, false, true); | |
997 | addRecordToLW(res, target, QType::A, "192.0.2.4"); | |
998 | return 1; | |
999 | } | |
1000 | else { | |
1001 | return 0; | |
1002 | } | |
1003 | }); | |
1004 | ||
1005 | vector<DNSRecord> ret; | |
1006 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 1007 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
30ee601a | 1008 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
e9f9b8ec | 1009 | BOOST_CHECK(ret[0].d_type == QType::A); |
30ee601a RG |
1010 | BOOST_CHECK_EQUAL(ret[0].d_name, target); |
1011 | } | |
1012 | ||
1013 | BOOST_AUTO_TEST_CASE(test_glueless_referral) { | |
1014 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1015 | initSR(sr); |
30ee601a RG |
1016 | |
1017 | primeHints(); | |
1018 | ||
1019 | const DNSName target("powerdns.com."); | |
1020 | ||
0bd2e252 | 1021 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
30ee601a RG |
1022 | |
1023 | if (isRootServer(ip)) { | |
8455425c | 1024 | setLWResult(res, 0, false, false, true); |
30ee601a RG |
1025 | |
1026 | if (domain.isPartOf(DNSName("com."))) { | |
1027 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); | |
1028 | } else if (domain.isPartOf(DNSName("org."))) { | |
1029 | addRecordToLW(res, "org.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); | |
1030 | } | |
1031 | else { | |
1032 | setLWResult(res, RCode::NXDomain, false, false, true); | |
1033 | return 1; | |
1034 | } | |
1035 | ||
1036 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
1037 | addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600); | |
1038 | return 1; | |
1039 | } | |
1040 | else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) { | |
1041 | if (domain == target) { | |
8455425c | 1042 | setLWResult(res, 0, false, false, true); |
30ee601a RG |
1043 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800); |
1044 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800); | |
1045 | return 1; | |
1046 | } | |
1047 | else if (domain == DNSName("pdns-public-ns1.powerdns.org.")) { | |
1048 | setLWResult(res, 0, true, false, true); | |
1049 | addRecordToLW(res, "pdns-public-ns1.powerdns.org.", QType::A, "192.0.2.2"); | |
1050 | addRecordToLW(res, "pdns-public-ns1.powerdns.org.", QType::AAAA, "2001:DB8::2"); | |
1051 | return 1; | |
1052 | } | |
1053 | else if (domain == DNSName("pdns-public-ns2.powerdns.org.")) { | |
1054 | setLWResult(res, 0, true, false, true); | |
1055 | addRecordToLW(res, "pdns-public-ns2.powerdns.org.", QType::A, "192.0.2.3"); | |
1056 | addRecordToLW(res, "pdns-public-ns2.powerdns.org.", QType::AAAA, "2001:DB8::3"); | |
1057 | return 1; | |
1058 | } | |
1059 | ||
1060 | setLWResult(res, RCode::NXDomain, false, false, true); | |
1061 | return 1; | |
1062 | } | |
1063 | else if (ip == ComboAddress("192.0.2.2:53") || ip == ComboAddress("192.0.2.3:53") || ip == ComboAddress("[2001:DB8::2]:53") || ip == ComboAddress("[2001:DB8::3]:53")) { | |
1064 | setLWResult(res, 0, true, false, true); | |
1065 | addRecordToLW(res, target, QType::A, "192.0.2.4"); | |
1066 | return 1; | |
1067 | } | |
1068 | else { | |
1069 | return 0; | |
1070 | } | |
1071 | }); | |
1072 | ||
1073 | vector<DNSRecord> ret; | |
1074 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 1075 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
30ee601a | 1076 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
e9f9b8ec | 1077 | BOOST_CHECK(ret[0].d_type == QType::A); |
30ee601a RG |
1078 | BOOST_CHECK_EQUAL(ret[0].d_name, target); |
1079 | } | |
1080 | ||
e9f9b8ec RG |
1081 | BOOST_AUTO_TEST_CASE(test_edns_submask_by_domain) { |
1082 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1083 | initSR(sr); |
e9f9b8ec RG |
1084 | |
1085 | primeHints(); | |
1086 | ||
1087 | const DNSName target("powerdns.com."); | |
9065eb05 | 1088 | SyncRes::addEDNSDomain(target); |
e9f9b8ec RG |
1089 | |
1090 | EDNSSubnetOpts incomingECS; | |
1091 | incomingECS.source = Netmask("192.0.2.128/32"); | |
2fe3354d | 1092 | sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS)); |
e9f9b8ec | 1093 | |
0bd2e252 | 1094 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
e9f9b8ec RG |
1095 | |
1096 | BOOST_REQUIRE(srcmask); | |
1097 | BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24"); | |
1098 | return 0; | |
1099 | }); | |
1100 | ||
1101 | vector<DNSRecord> ret; | |
1102 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
f58c8379 | 1103 | BOOST_CHECK_EQUAL(res, RCode::ServFail); |
e9f9b8ec RG |
1104 | } |
1105 | ||
1106 | BOOST_AUTO_TEST_CASE(test_edns_submask_by_addr) { | |
1107 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1108 | initSR(sr); |
e9f9b8ec RG |
1109 | |
1110 | primeHints(); | |
1111 | ||
1112 | const DNSName target("powerdns.com."); | |
2fe3354d | 1113 | SyncRes::addEDNSRemoteSubnet("192.0.2.1/32"); |
e9f9b8ec RG |
1114 | |
1115 | EDNSSubnetOpts incomingECS; | |
1116 | incomingECS.source = Netmask("2001:DB8::FF/128"); | |
2fe3354d | 1117 | sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS)); |
e9f9b8ec | 1118 | |
0bd2e252 | 1119 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
e9f9b8ec RG |
1120 | |
1121 | if (isRootServer(ip)) { | |
1122 | BOOST_REQUIRE(!srcmask); | |
1123 | ||
8455425c | 1124 | setLWResult(res, 0, false, false, true); |
e9f9b8ec RG |
1125 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
1126 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
1127 | return 1; | |
1128 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
1129 | ||
1130 | BOOST_REQUIRE(srcmask); | |
1131 | BOOST_CHECK_EQUAL(srcmask->toString(), "2001:db8::/56"); | |
1132 | ||
1133 | setLWResult(res, 0, true, false, false); | |
1134 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
1135 | return 1; | |
1136 | } | |
1137 | ||
1138 | return 0; | |
1139 | }); | |
1140 | ||
1141 | vector<DNSRecord> ret; | |
1142 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 1143 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
778bcea6 RG |
1144 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
1145 | BOOST_CHECK(ret[0].d_type == QType::A); | |
1146 | BOOST_CHECK_EQUAL(ret[0].d_name, target); | |
1147 | } | |
1148 | ||
2fe3354d CH |
1149 | BOOST_AUTO_TEST_CASE(test_ecs_use_requestor) { |
1150 | std::unique_ptr<SyncRes> sr; | |
1151 | initSR(sr); | |
1152 | ||
1153 | primeHints(); | |
1154 | ||
1155 | const DNSName target("powerdns.com."); | |
1156 | SyncRes::addEDNSRemoteSubnet("192.0.2.1/32"); | |
1157 | // No incoming ECS data | |
1158 | sr->setQuerySource(ComboAddress("192.0.2.127"), boost::none); | |
1159 | ||
0bd2e252 | 1160 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
2fe3354d CH |
1161 | |
1162 | if (isRootServer(ip)) { | |
1163 | BOOST_REQUIRE(!srcmask); | |
1164 | ||
1165 | setLWResult(res, 0, false, false, true); | |
1166 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); | |
1167 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
1168 | return 1; | |
1169 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
1170 | ||
1171 | BOOST_REQUIRE(srcmask); | |
1172 | BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24"); | |
1173 | ||
1174 | setLWResult(res, 0, true, false, false); | |
1175 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
1176 | return 1; | |
1177 | } | |
1178 | ||
1179 | return 0; | |
1180 | }); | |
1181 | ||
1182 | vector<DNSRecord> ret; | |
1183 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
1184 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
1185 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
1186 | BOOST_CHECK(ret[0].d_type == QType::A); | |
1187 | BOOST_CHECK_EQUAL(ret[0].d_name, target); | |
1188 | } | |
1189 | ||
1190 | BOOST_AUTO_TEST_CASE(test_ecs_use_scope_zero) { | |
1191 | std::unique_ptr<SyncRes> sr; | |
1192 | initSR(sr); | |
1193 | ||
1194 | primeHints(); | |
1195 | ||
1196 | const DNSName target("powerdns.com."); | |
1197 | SyncRes::addEDNSRemoteSubnet("192.0.2.1/32"); | |
1198 | SyncRes::clearEDNSLocalSubnets(); | |
1199 | SyncRes::addEDNSLocalSubnet("192.0.2.254/32"); | |
1200 | // No incoming ECS data, Requestor IP not in ecs-add-for | |
1201 | sr->setQuerySource(ComboAddress("192.0.2.127"), boost::none); | |
1202 | ||
0bd2e252 | 1203 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
2fe3354d CH |
1204 | |
1205 | if (isRootServer(ip)) { | |
1206 | BOOST_REQUIRE(!srcmask); | |
1207 | ||
1208 | setLWResult(res, 0, false, false, true); | |
1209 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); | |
1210 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
1211 | return 1; | |
1212 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
1213 | ||
1214 | BOOST_REQUIRE(srcmask); | |
1215 | BOOST_CHECK_EQUAL(srcmask->toString(), "127.0.0.1/32"); | |
1216 | ||
1217 | setLWResult(res, 0, true, false, false); | |
1218 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
1219 | return 1; | |
1220 | } | |
1221 | ||
1222 | return 0; | |
1223 | }); | |
1224 | ||
1225 | vector<DNSRecord> ret; | |
1226 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
1227 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
1228 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
1229 | BOOST_CHECK(ret[0].d_type == QType::A); | |
1230 | BOOST_CHECK_EQUAL(ret[0].d_name, target); | |
1231 | } | |
1232 | ||
1233 | BOOST_AUTO_TEST_CASE(test_ecs_honor_incoming_mask) { | |
1234 | std::unique_ptr<SyncRes> sr; | |
1235 | initSR(sr); | |
1236 | ||
1237 | primeHints(); | |
1238 | ||
1239 | const DNSName target("powerdns.com."); | |
1240 | SyncRes::addEDNSRemoteSubnet("192.0.2.1/32"); | |
1241 | SyncRes::clearEDNSLocalSubnets(); | |
1242 | SyncRes::addEDNSLocalSubnet("192.0.2.254/32"); | |
1243 | EDNSSubnetOpts incomingECS; | |
1244 | incomingECS.source = Netmask("192.0.0.0/16"); | |
1245 | sr->setQuerySource(ComboAddress("192.0.2.127"), boost::optional<const EDNSSubnetOpts&>(incomingECS)); | |
1246 | ||
0bd2e252 | 1247 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
2fe3354d CH |
1248 | |
1249 | if (isRootServer(ip)) { | |
1250 | BOOST_REQUIRE(!srcmask); | |
1251 | ||
1252 | setLWResult(res, 0, false, false, true); | |
1253 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); | |
1254 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
1255 | return 1; | |
1256 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
1257 | ||
1258 | BOOST_REQUIRE(srcmask); | |
1259 | BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.0.0/16"); | |
1260 | ||
1261 | setLWResult(res, 0, true, false, false); | |
1262 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
1263 | return 1; | |
1264 | } | |
1265 | ||
1266 | return 0; | |
1267 | }); | |
1268 | ||
1269 | vector<DNSRecord> ret; | |
1270 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
1271 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
1272 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
1273 | BOOST_CHECK(ret[0].d_type == QType::A); | |
1274 | BOOST_CHECK_EQUAL(ret[0].d_name, target); | |
1275 | } | |
1276 | ||
1277 | BOOST_AUTO_TEST_CASE(test_ecs_honor_incoming_mask_zero) { | |
1278 | std::unique_ptr<SyncRes> sr; | |
1279 | initSR(sr); | |
1280 | ||
1281 | primeHints(); | |
1282 | ||
1283 | const DNSName target("powerdns.com."); | |
1284 | SyncRes::addEDNSRemoteSubnet("192.0.2.1/32"); | |
1285 | SyncRes::clearEDNSLocalSubnets(); | |
1286 | SyncRes::addEDNSLocalSubnet("192.0.2.254/32"); | |
1287 | EDNSSubnetOpts incomingECS; | |
1288 | incomingECS.source = Netmask("0.0.0.0/0"); | |
1289 | sr->setQuerySource(ComboAddress("192.0.2.127"), boost::optional<const EDNSSubnetOpts&>(incomingECS)); | |
1290 | ||
0bd2e252 | 1291 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
2fe3354d CH |
1292 | |
1293 | if (isRootServer(ip)) { | |
1294 | BOOST_REQUIRE(!srcmask); | |
1295 | ||
1296 | setLWResult(res, 0, false, false, true); | |
1297 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); | |
1298 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
1299 | return 1; | |
1300 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
1301 | ||
1302 | BOOST_REQUIRE(srcmask); | |
1303 | BOOST_CHECK_EQUAL(srcmask->toString(), "127.0.0.1/32"); | |
1304 | ||
1305 | setLWResult(res, 0, true, false, false); | |
1306 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
1307 | return 1; | |
1308 | } | |
1309 | ||
1310 | return 0; | |
1311 | }); | |
1312 | ||
1313 | vector<DNSRecord> ret; | |
1314 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
1315 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
1316 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
1317 | BOOST_CHECK(ret[0].d_type == QType::A); | |
1318 | BOOST_CHECK_EQUAL(ret[0].d_name, target); | |
1319 | } | |
1320 | ||
778bcea6 RG |
1321 | BOOST_AUTO_TEST_CASE(test_following_cname) { |
1322 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1323 | initSR(sr); |
778bcea6 RG |
1324 | |
1325 | primeHints(); | |
1326 | ||
1327 | const DNSName target("cname.powerdns.com."); | |
1328 | const DNSName cnameTarget("cname-target.powerdns.com"); | |
1329 | ||
0bd2e252 | 1330 | sr->setAsyncCallback([target, cnameTarget](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
778bcea6 RG |
1331 | |
1332 | if (isRootServer(ip)) { | |
8455425c | 1333 | setLWResult(res, 0, false, false, true); |
778bcea6 RG |
1334 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
1335 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
1336 | return 1; | |
1337 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
1338 | ||
1339 | if (domain == target) { | |
1340 | setLWResult(res, 0, true, false, false); | |
1341 | addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString()); | |
1342 | return 1; | |
1343 | } | |
1344 | else if (domain == cnameTarget) { | |
1345 | setLWResult(res, 0, true, false, false); | |
1346 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
1347 | } | |
1348 | ||
1349 | return 1; | |
1350 | } | |
1351 | ||
1352 | return 0; | |
1353 | }); | |
1354 | ||
1355 | vector<DNSRecord> ret; | |
1356 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 1357 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
778bcea6 RG |
1358 | BOOST_REQUIRE_EQUAL(ret.size(), 2); |
1359 | BOOST_CHECK(ret[0].d_type == QType::CNAME); | |
1360 | BOOST_CHECK_EQUAL(ret[0].d_name, target); | |
1361 | BOOST_CHECK(ret[1].d_type == QType::A); | |
1362 | BOOST_CHECK_EQUAL(ret[1].d_name, cnameTarget); | |
1363 | } | |
1364 | ||
9b061cf5 RG |
1365 | BOOST_AUTO_TEST_CASE(test_cname_nxdomain) { |
1366 | std::unique_ptr<SyncRes> sr; | |
1367 | initSR(sr); | |
1368 | ||
1369 | primeHints(); | |
1370 | ||
1371 | const DNSName target("cname.powerdns.com."); | |
1372 | const DNSName cnameTarget("cname-target.powerdns.com"); | |
1373 | ||
0bd2e252 | 1374 | sr->setAsyncCallback([target, cnameTarget](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
9b061cf5 RG |
1375 | |
1376 | if (isRootServer(ip)) { | |
1377 | setLWResult(res, 0, false, false, true); | |
1378 | addRecordToLW(res, "powerdns.com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); | |
1379 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
1380 | return 1; | |
1381 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
1382 | ||
1383 | if (domain == target) { | |
1384 | setLWResult(res, RCode::NXDomain, true, false, false); | |
1385 | addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString()); | |
1386 | addRecordToLW(res, "powerdns.com.", QType::SOA, "a.powerdns.com. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); | |
1387 | } else if (domain == cnameTarget) { | |
1388 | setLWResult(res, RCode::NXDomain, true, false, false); | |
1389 | addRecordToLW(res, "powerdns.com.", QType::SOA, "a.powerdns.com. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); | |
1390 | return 1; | |
1391 | } | |
1392 | ||
1393 | return 1; | |
1394 | } | |
1395 | ||
1396 | return 0; | |
1397 | }); | |
1398 | ||
1399 | vector<DNSRecord> ret; | |
1400 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
1401 | BOOST_CHECK_EQUAL(res, RCode::NXDomain); | |
1402 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
1403 | BOOST_CHECK(ret[0].d_type == QType::CNAME); | |
1404 | BOOST_CHECK_EQUAL(ret[0].d_name, target); | |
1405 | BOOST_CHECK(ret[1].d_type == QType::SOA); | |
1406 | ||
1407 | /* a second time, to check the cache */ | |
1408 | ret.clear(); | |
1409 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
1410 | BOOST_CHECK_EQUAL(res, RCode::NXDomain); | |
1411 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
1412 | BOOST_CHECK(ret[0].d_type == QType::CNAME); | |
1413 | BOOST_CHECK_EQUAL(ret[0].d_name, target); | |
1414 | BOOST_CHECK(ret[1].d_type == QType::SOA); | |
1415 | } | |
1416 | ||
4fff116b RG |
1417 | BOOST_AUTO_TEST_CASE(test_included_poisonous_cname) { |
1418 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1419 | initSR(sr); |
4fff116b RG |
1420 | |
1421 | primeHints(); | |
1422 | ||
1423 | /* In this test we directly get the NS server for cname.powerdns.com., | |
1424 | and we don't know whether it's also authoritative for | |
1425 | cname-target.powerdns.com or powerdns.com, so we shouldn't accept | |
1426 | the additional A record for cname-target.powerdns.com. */ | |
1427 | const DNSName target("cname.powerdns.com."); | |
1428 | const DNSName cnameTarget("cname-target.powerdns.com"); | |
1429 | ||
0bd2e252 | 1430 | sr->setAsyncCallback([target, cnameTarget](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
4fff116b RG |
1431 | |
1432 | if (isRootServer(ip)) { | |
1433 | ||
8455425c | 1434 | setLWResult(res, 0, false, false, true); |
4fff116b RG |
1435 | |
1436 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); | |
1437 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
1438 | return 1; | |
1439 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
1440 | ||
1441 | if (domain == target) { | |
1442 | setLWResult(res, 0, true, false, false); | |
1443 | addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString()); | |
1444 | addRecordToLW(res, cnameTarget, QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL); | |
1445 | return 1; | |
1446 | } else if (domain == cnameTarget) { | |
1447 | setLWResult(res, 0, true, false, false); | |
1448 | addRecordToLW(res, cnameTarget, QType::A, "192.0.2.3"); | |
1449 | return 1; | |
1450 | } | |
1451 | ||
1452 | return 1; | |
1453 | } | |
1454 | ||
1455 | return 0; | |
1456 | }); | |
1457 | ||
1458 | vector<DNSRecord> ret; | |
1459 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 1460 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
4fff116b RG |
1461 | BOOST_REQUIRE_EQUAL(ret.size(), 2); |
1462 | BOOST_REQUIRE(ret[0].d_type == QType::CNAME); | |
1463 | BOOST_CHECK_EQUAL(ret[0].d_name, target); | |
1464 | BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[0])->getTarget(), cnameTarget); | |
1465 | BOOST_REQUIRE(ret[1].d_type == QType::A); | |
1466 | BOOST_CHECK_EQUAL(ret[1].d_name, cnameTarget); | |
1467 | BOOST_CHECK(getRR<ARecordContent>(ret[1])->getCA() == ComboAddress("192.0.2.3")); | |
1468 | } | |
1469 | ||
778bcea6 RG |
1470 | BOOST_AUTO_TEST_CASE(test_cname_loop) { |
1471 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1472 | initSR(sr); |
778bcea6 RG |
1473 | |
1474 | primeHints(); | |
1475 | ||
1476 | size_t count = 0; | |
1477 | const DNSName target("cname.powerdns.com."); | |
1478 | ||
0bd2e252 | 1479 | sr->setAsyncCallback([target,&count](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
778bcea6 RG |
1480 | |
1481 | count++; | |
1482 | ||
1483 | if (isRootServer(ip)) { | |
778bcea6 | 1484 | |
8455425c | 1485 | setLWResult(res, 0, false, false, true); |
778bcea6 RG |
1486 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
1487 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
1488 | return 1; | |
1489 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
1490 | ||
1491 | if (domain == target) { | |
1492 | setLWResult(res, 0, true, false, false); | |
1493 | addRecordToLW(res, domain, QType::CNAME, domain.toString()); | |
1494 | return 1; | |
1495 | } | |
1496 | ||
1497 | return 1; | |
1498 | } | |
1499 | ||
1500 | return 0; | |
1501 | }); | |
1502 | ||
1503 | vector<DNSRecord> ret; | |
1504 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
f58c8379 RG |
1505 | BOOST_CHECK_EQUAL(res, RCode::ServFail); |
1506 | BOOST_CHECK_GT(ret.size(), 0); | |
778bcea6 | 1507 | BOOST_CHECK_EQUAL(count, 2); |
e9f9b8ec RG |
1508 | } |
1509 | ||
4fff116b RG |
1510 | BOOST_AUTO_TEST_CASE(test_cname_depth) { |
1511 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1512 | initSR(sr); |
4fff116b RG |
1513 | |
1514 | primeHints(); | |
1515 | ||
1516 | size_t depth = 0; | |
1517 | const DNSName target("cname.powerdns.com."); | |
1518 | ||
0bd2e252 | 1519 | sr->setAsyncCallback([target,&depth](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
4fff116b RG |
1520 | |
1521 | if (isRootServer(ip)) { | |
4fff116b | 1522 | |
8455425c | 1523 | setLWResult(res, 0, false, false, true); |
4fff116b RG |
1524 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
1525 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
1526 | return 1; | |
1527 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
1528 | ||
1529 | setLWResult(res, 0, true, false, false); | |
1530 | addRecordToLW(res, domain, QType::CNAME, std::to_string(depth) + "-cname.powerdns.com"); | |
1531 | depth++; | |
1532 | return 1; | |
1533 | } | |
1534 | ||
1535 | return 0; | |
1536 | }); | |
1537 | ||
1538 | vector<DNSRecord> ret; | |
1539 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
f58c8379 RG |
1540 | BOOST_CHECK_EQUAL(res, RCode::ServFail); |
1541 | BOOST_CHECK_EQUAL(ret.size(), depth); | |
4fff116b RG |
1542 | /* we have an arbitrary limit at 10 when following a CNAME chain */ |
1543 | BOOST_CHECK_EQUAL(depth, 10 + 2); | |
1544 | } | |
1545 | ||
d6e797b8 RG |
1546 | BOOST_AUTO_TEST_CASE(test_time_limit) { |
1547 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1548 | initSR(sr); |
d6e797b8 RG |
1549 | |
1550 | primeHints(); | |
1551 | ||
1552 | size_t queries = 0; | |
1553 | const DNSName target("cname.powerdns.com."); | |
1554 | ||
0bd2e252 | 1555 | sr->setAsyncCallback([target,&queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
1556 | |
1557 | queries++; | |
1558 | ||
1559 | if (isRootServer(ip)) { | |
8455425c | 1560 | setLWResult(res, 0, false, false, true); |
d6e797b8 RG |
1561 | /* Pretend that this query took 2000 ms */ |
1562 | res->d_usec = 2000; | |
1563 | ||
1564 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); | |
1565 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
1566 | return 1; | |
1567 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
1568 | ||
1569 | setLWResult(res, 0, true, false, false); | |
1570 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
1571 | return 1; | |
1572 | } | |
1573 | ||
1574 | return 0; | |
1575 | }); | |
1576 | ||
1577 | /* Set the maximum time to 1 ms */ | |
1578 | SyncRes::s_maxtotusec = 1000; | |
1579 | ||
1580 | try { | |
1581 | vector<DNSRecord> ret; | |
1582 | sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
1583 | BOOST_CHECK(false); | |
1584 | } | |
1585 | catch(const ImmediateServFailException& e) { | |
1586 | } | |
1587 | BOOST_CHECK_EQUAL(queries, 1); | |
1588 | } | |
1589 | ||
1590 | BOOST_AUTO_TEST_CASE(test_referral_depth) { | |
1591 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1592 | initSR(sr); |
d6e797b8 RG |
1593 | |
1594 | primeHints(); | |
1595 | ||
1596 | size_t queries = 0; | |
1597 | const DNSName target("www.powerdns.com."); | |
1598 | ||
0bd2e252 | 1599 | sr->setAsyncCallback([target,&queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
1600 | |
1601 | queries++; | |
1602 | ||
1603 | if (isRootServer(ip)) { | |
8455425c | 1604 | setLWResult(res, 0, false, false, true); |
d6e797b8 RG |
1605 | |
1606 | if (domain == DNSName("www.powerdns.com.")) { | |
1607 | addRecordToLW(res, domain, QType::NS, "ns.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); | |
1608 | } | |
1609 | else if (domain == DNSName("ns.powerdns.com.")) { | |
1610 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800); | |
1611 | } | |
1612 | else if (domain == DNSName("ns1.powerdns.org.")) { | |
1613 | addRecordToLW(res, domain, QType::NS, "ns2.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800); | |
1614 | } | |
1615 | else if (domain == DNSName("ns2.powerdns.org.")) { | |
1616 | addRecordToLW(res, domain, QType::NS, "ns3.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800); | |
1617 | } | |
1618 | else if (domain == DNSName("ns3.powerdns.org.")) { | |
1619 | addRecordToLW(res, domain, QType::NS, "ns4.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800); | |
1620 | } | |
1621 | else if (domain == DNSName("ns4.powerdns.org.")) { | |
1622 | addRecordToLW(res, domain, QType::NS, "ns5.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800); | |
1623 | addRecordToLW(res, domain, QType::A, "192.0.2.1", DNSResourceRecord::AUTHORITY, 172800); | |
1624 | } | |
1625 | ||
1626 | return 1; | |
1627 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
1628 | ||
1629 | setLWResult(res, 0, true, false, false); | |
1630 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
1631 | return 1; | |
1632 | } | |
1633 | ||
1634 | return 0; | |
1635 | }); | |
1636 | ||
1637 | /* Set the maximum depth low */ | |
1638 | SyncRes::s_maxdepth = 10; | |
1639 | ||
1640 | try { | |
1641 | vector<DNSRecord> ret; | |
1642 | sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
1643 | BOOST_CHECK(false); | |
1644 | } | |
1645 | catch(const ImmediateServFailException& e) { | |
1646 | } | |
1647 | } | |
1648 | ||
1649 | BOOST_AUTO_TEST_CASE(test_cname_qperq) { | |
1650 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1651 | initSR(sr); |
d6e797b8 RG |
1652 | |
1653 | primeHints(); | |
1654 | ||
1655 | size_t queries = 0; | |
1656 | const DNSName target("cname.powerdns.com."); | |
1657 | ||
0bd2e252 | 1658 | sr->setAsyncCallback([target,&queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
1659 | |
1660 | queries++; | |
1661 | ||
1662 | if (isRootServer(ip)) { | |
1663 | ||
8455425c | 1664 | setLWResult(res, 0, false, false, true); |
d6e797b8 RG |
1665 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
1666 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
1667 | return 1; | |
1668 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
1669 | ||
1670 | setLWResult(res, 0, true, false, false); | |
1671 | addRecordToLW(res, domain, QType::CNAME, std::to_string(queries) + "-cname.powerdns.com"); | |
1672 | return 1; | |
1673 | } | |
1674 | ||
1675 | return 0; | |
1676 | }); | |
1677 | ||
1678 | /* Set the maximum number of questions very low */ | |
1679 | SyncRes::s_maxqperq = 5; | |
1680 | ||
1681 | try { | |
1682 | vector<DNSRecord> ret; | |
1683 | sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
1684 | BOOST_CHECK(false); | |
1685 | } | |
1686 | catch(const ImmediateServFailException& e) { | |
1687 | BOOST_CHECK_EQUAL(queries, SyncRes::s_maxqperq); | |
1688 | } | |
1689 | } | |
1690 | ||
ccb07d93 RG |
1691 | BOOST_AUTO_TEST_CASE(test_throttled_server) { |
1692 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1693 | initSR(sr); |
ccb07d93 RG |
1694 | |
1695 | primeHints(); | |
1696 | ||
1697 | const DNSName target("throttled.powerdns.com."); | |
1698 | const ComboAddress ns("192.0.2.1:53"); | |
1699 | size_t queriesToNS = 0; | |
1700 | ||
0bd2e252 | 1701 | sr->setAsyncCallback([target,ns,&queriesToNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
ccb07d93 RG |
1702 | |
1703 | if (isRootServer(ip)) { | |
ccb07d93 | 1704 | |
8455425c | 1705 | setLWResult(res, 0, false, false, true); |
ccb07d93 RG |
1706 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
1707 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600); | |
1708 | return 1; | |
1709 | } else if (ip == ns) { | |
1710 | ||
1711 | queriesToNS++; | |
1712 | ||
1713 | setLWResult(res, 0, true, false, false); | |
1714 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
1715 | ||
1716 | return 1; | |
1717 | } | |
1718 | ||
1719 | return 0; | |
1720 | }); | |
1721 | ||
1722 | /* mark ns as down */ | |
606accb0 RG |
1723 | time_t now = sr->getNow().tv_sec; |
1724 | SyncRes::doThrottle(now, ns, SyncRes::s_serverdownthrottletime, 10000); | |
ccb07d93 RG |
1725 | |
1726 | vector<DNSRecord> ret; | |
1727 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
f58c8379 RG |
1728 | BOOST_CHECK_EQUAL(res, RCode::ServFail); |
1729 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
1730 | /* we should not have sent any queries to ns */ | |
ccb07d93 RG |
1731 | BOOST_CHECK_EQUAL(queriesToNS, 0); |
1732 | } | |
1733 | ||
1734 | BOOST_AUTO_TEST_CASE(test_throttled_server_count) { | |
1735 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1736 | initSR(sr); |
ccb07d93 RG |
1737 | |
1738 | primeHints(); | |
1739 | ||
1740 | const ComboAddress ns("192.0.2.1:53"); | |
1741 | ||
1742 | const size_t blocks = 10; | |
1743 | /* mark ns as down for 'blocks' queries */ | |
606accb0 RG |
1744 | time_t now = sr->getNow().tv_sec; |
1745 | SyncRes::doThrottle(now, ns, SyncRes::s_serverdownthrottletime, blocks); | |
ccb07d93 RG |
1746 | |
1747 | for (size_t idx = 0; idx < blocks; idx++) { | |
606accb0 | 1748 | BOOST_CHECK(SyncRes::isThrottled(now, ns)); |
ccb07d93 RG |
1749 | } |
1750 | ||
1751 | /* we have been throttled 'blocks' times, we should not be throttled anymore */ | |
606accb0 | 1752 | BOOST_CHECK(!SyncRes::isThrottled(now, ns)); |
ccb07d93 RG |
1753 | } |
1754 | ||
1755 | BOOST_AUTO_TEST_CASE(test_throttled_server_time) { | |
1756 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1757 | initSR(sr); |
ccb07d93 RG |
1758 | |
1759 | primeHints(); | |
1760 | ||
1761 | const ComboAddress ns("192.0.2.1:53"); | |
1762 | ||
1763 | const size_t seconds = 1; | |
1764 | /* mark ns as down for 'seconds' seconds */ | |
606accb0 RG |
1765 | time_t now = sr->getNow().tv_sec; |
1766 | SyncRes::doThrottle(now, ns, seconds, 10000); | |
a712cb56 | 1767 | |
606accb0 | 1768 | BOOST_CHECK(SyncRes::isThrottled(now, ns)); |
ccb07d93 RG |
1769 | |
1770 | /* we should not be throttled anymore */ | |
606accb0 | 1771 | BOOST_CHECK(!SyncRes::isThrottled(now + 2, ns)); |
ccb07d93 RG |
1772 | } |
1773 | ||
f58c8379 RG |
1774 | BOOST_AUTO_TEST_CASE(test_dont_query_server) { |
1775 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1776 | initSR(sr); |
f58c8379 RG |
1777 | |
1778 | primeHints(); | |
1779 | ||
1780 | const DNSName target("throttled.powerdns.com."); | |
1781 | const ComboAddress ns("192.0.2.1:53"); | |
1782 | size_t queriesToNS = 0; | |
1783 | ||
0bd2e252 | 1784 | sr->setAsyncCallback([target,ns,&queriesToNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f58c8379 RG |
1785 | |
1786 | if (isRootServer(ip)) { | |
1787 | ||
8455425c | 1788 | setLWResult(res, 0, false, false, true); |
f58c8379 RG |
1789 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
1790 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600); | |
1791 | return 1; | |
1792 | } else if (ip == ns) { | |
1793 | ||
1794 | queriesToNS++; | |
1795 | ||
1796 | setLWResult(res, 0, true, false, false); | |
1797 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
1798 | ||
1799 | return 1; | |
1800 | } | |
1801 | ||
1802 | return 0; | |
1803 | }); | |
1804 | ||
1805 | /* prevent querying this NS */ | |
9065eb05 | 1806 | SyncRes::addDontQuery(Netmask(ns)); |
f58c8379 RG |
1807 | |
1808 | vector<DNSRecord> ret; | |
1809 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
1810 | BOOST_CHECK_EQUAL(res, RCode::ServFail); | |
1811 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
1812 | /* we should not have sent any queries to ns */ | |
1813 | BOOST_CHECK_EQUAL(queriesToNS, 0); | |
1814 | } | |
1815 | ||
1816 | BOOST_AUTO_TEST_CASE(test_root_nx_trust) { | |
1817 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1818 | initSR(sr); |
f58c8379 RG |
1819 | |
1820 | primeHints(); | |
1821 | ||
1822 | const DNSName target1("powerdns.com."); | |
1823 | const DNSName target2("notpowerdns.com."); | |
1824 | const ComboAddress ns("192.0.2.1:53"); | |
1825 | size_t queriesCount = 0; | |
1826 | ||
0bd2e252 | 1827 | sr->setAsyncCallback([target1, target2, ns, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f58c8379 RG |
1828 | |
1829 | queriesCount++; | |
1830 | ||
1831 | if (isRootServer(ip)) { | |
1832 | ||
1833 | if (domain == target1) { | |
1834 | setLWResult(res, RCode::NXDomain, true, false, true); | |
1835 | addRecordToLW(res, ".", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); | |
1836 | } | |
1837 | else { | |
1838 | setLWResult(res, 0, true, false, true); | |
1839 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); | |
1840 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600); | |
1841 | } | |
1842 | ||
1843 | return 1; | |
1844 | } else if (ip == ns) { | |
1845 | ||
1846 | setLWResult(res, 0, true, false, false); | |
1847 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
1848 | ||
1849 | return 1; | |
1850 | } | |
1851 | ||
1852 | return 0; | |
1853 | }); | |
1854 | ||
1855 | vector<DNSRecord> ret; | |
1856 | int res = sr->beginResolve(target1, QType(QType::A), QClass::IN, ret); | |
1857 | BOOST_CHECK_EQUAL(res, RCode::NXDomain); | |
1858 | BOOST_CHECK_EQUAL(ret.size(), 1); | |
1859 | /* one for target1 and one for the entire TLD */ | |
a712cb56 | 1860 | BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 2); |
f58c8379 RG |
1861 | |
1862 | ret.clear(); | |
1863 | res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret); | |
1864 | BOOST_CHECK_EQUAL(res, RCode::NXDomain); | |
1865 | BOOST_CHECK_EQUAL(ret.size(), 1); | |
1866 | /* one for target1 and one for the entire TLD */ | |
a712cb56 | 1867 | BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 2); |
f58c8379 RG |
1868 | |
1869 | /* we should have sent only one query */ | |
1870 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
1871 | } | |
1872 | ||
898856ca RG |
1873 | BOOST_AUTO_TEST_CASE(test_root_nx_trust_specific) { |
1874 | std::unique_ptr<SyncRes> sr; | |
1875 | init(); | |
1876 | initSR(sr, true, false); | |
1877 | ||
1878 | primeHints(); | |
1879 | ||
1880 | const DNSName target1("powerdns.com."); | |
1881 | const DNSName target2("notpowerdns.com."); | |
1882 | const ComboAddress ns("192.0.2.1:53"); | |
1883 | size_t queriesCount = 0; | |
1884 | ||
1885 | /* This time the root denies target1 with a "com." SOA instead of a "." one. | |
1886 | We should add target1 to the negcache, but not "com.". */ | |
1887 | ||
0bd2e252 | 1888 | sr->setAsyncCallback([target1, target2, ns, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
898856ca RG |
1889 | |
1890 | queriesCount++; | |
1891 | ||
1892 | if (isRootServer(ip)) { | |
1893 | ||
1894 | if (domain == target1) { | |
1895 | setLWResult(res, RCode::NXDomain, true, false, true); | |
1896 | addRecordToLW(res, "com.", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); | |
1897 | } | |
1898 | else { | |
1899 | setLWResult(res, 0, true, false, true); | |
1900 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); | |
1901 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600); | |
1902 | } | |
1903 | ||
1904 | return 1; | |
1905 | } else if (ip == ns) { | |
1906 | ||
1907 | setLWResult(res, 0, true, false, false); | |
1908 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
1909 | ||
1910 | return 1; | |
1911 | } | |
1912 | ||
1913 | return 0; | |
1914 | }); | |
1915 | ||
1916 | vector<DNSRecord> ret; | |
1917 | int res = sr->beginResolve(target1, QType(QType::A), QClass::IN, ret); | |
1918 | BOOST_CHECK_EQUAL(res, RCode::NXDomain); | |
1919 | BOOST_CHECK_EQUAL(ret.size(), 1); | |
1920 | ||
1921 | /* even with root-nx-trust on and a NX answer from the root, | |
1922 | we should not have cached the entire TLD this time. */ | |
a712cb56 | 1923 | BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1); |
898856ca RG |
1924 | |
1925 | ret.clear(); | |
1926 | res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret); | |
1927 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
1928 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
1929 | BOOST_REQUIRE(ret[0].d_type == QType::A); | |
1930 | BOOST_CHECK_EQUAL(ret[0].d_name, target2); | |
1931 | BOOST_CHECK(getRR<ARecordContent>(ret[0])->getCA() == ComboAddress("192.0.2.2")); | |
1932 | ||
a712cb56 | 1933 | BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1); |
898856ca RG |
1934 | |
1935 | BOOST_CHECK_EQUAL(queriesCount, 3); | |
1936 | } | |
1937 | ||
f58c8379 RG |
1938 | BOOST_AUTO_TEST_CASE(test_root_nx_dont_trust) { |
1939 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1940 | initSR(sr); |
f58c8379 RG |
1941 | |
1942 | primeHints(); | |
1943 | ||
1944 | const DNSName target1("powerdns.com."); | |
1945 | const DNSName target2("notpowerdns.com."); | |
1946 | const ComboAddress ns("192.0.2.1:53"); | |
1947 | size_t queriesCount = 0; | |
1948 | ||
0bd2e252 | 1949 | sr->setAsyncCallback([target1, target2, ns, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f58c8379 RG |
1950 | |
1951 | queriesCount++; | |
1952 | ||
1953 | if (isRootServer(ip)) { | |
1954 | ||
1955 | if (domain == target1) { | |
1956 | setLWResult(res, RCode::NXDomain, true, false, true); | |
1957 | addRecordToLW(res, ".", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); | |
1958 | } | |
1959 | else { | |
1960 | setLWResult(res, 0, true, false, true); | |
1961 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); | |
1962 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600); | |
1963 | } | |
1964 | ||
1965 | return 1; | |
1966 | } else if (ip == ns) { | |
1967 | ||
1968 | setLWResult(res, 0, true, false, false); | |
1969 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
1970 | ||
1971 | return 1; | |
1972 | } | |
1973 | ||
1974 | return 0; | |
1975 | }); | |
1976 | ||
1977 | SyncRes::s_rootNXTrust = false; | |
1978 | ||
1979 | vector<DNSRecord> ret; | |
1980 | int res = sr->beginResolve(target1, QType(QType::A), QClass::IN, ret); | |
1981 | BOOST_CHECK_EQUAL(res, RCode::NXDomain); | |
1982 | BOOST_CHECK_EQUAL(ret.size(), 1); | |
1983 | /* one for target1 */ | |
a712cb56 | 1984 | BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 1); |
f58c8379 RG |
1985 | |
1986 | ret.clear(); | |
1987 | res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 1988 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
f58c8379 RG |
1989 | BOOST_CHECK_EQUAL(ret.size(), 1); |
1990 | /* one for target1 */ | |
a712cb56 | 1991 | BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 1); |
f58c8379 RG |
1992 | |
1993 | /* we should have sent three queries */ | |
1994 | BOOST_CHECK_EQUAL(queriesCount, 3); | |
1995 | } | |
1996 | ||
1997 | BOOST_AUTO_TEST_CASE(test_skip_negcache_for_variable_response) { | |
1998 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 1999 | initSR(sr); |
f58c8379 RG |
2000 | |
2001 | primeHints(); | |
2002 | ||
2003 | const DNSName target("www.powerdns.com."); | |
2004 | const DNSName cnameTarget("cname.powerdns.com."); | |
2005 | ||
9065eb05 | 2006 | SyncRes::addEDNSDomain(DNSName("powerdns.com.")); |
f58c8379 RG |
2007 | |
2008 | EDNSSubnetOpts incomingECS; | |
2009 | incomingECS.source = Netmask("192.0.2.128/32"); | |
2fe3354d | 2010 | sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS)); |
f58c8379 | 2011 | |
0bd2e252 | 2012 | sr->setAsyncCallback([target,cnameTarget](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f58c8379 RG |
2013 | |
2014 | BOOST_REQUIRE(srcmask); | |
2015 | BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24"); | |
2016 | ||
2017 | if (isRootServer(ip)) { | |
8455425c | 2018 | setLWResult(res, 0, false, false, true); |
f58c8379 RG |
2019 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); |
2020 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
2021 | ||
2022 | return 1; | |
2023 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
2024 | if (domain == target) { | |
2025 | /* Type 2 NXDOMAIN (rfc2308 section-2.1) */ | |
2026 | setLWResult(res, RCode::NXDomain, true, false, true); | |
2027 | addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString()); | |
2028 | addRecordToLW(res, "powerdns.com", QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
2029 | } | |
2030 | else if (domain == cnameTarget) { | |
2031 | /* we shouldn't get there since the Type NXDOMAIN should have been enough, | |
2032 | but we might if we still chase the CNAME. */ | |
2033 | setLWResult(res, RCode::NXDomain, true, false, true); | |
2034 | addRecordToLW(res, "powerdns.com", QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
2035 | } | |
2036 | ||
2037 | return 1; | |
2038 | } | |
2039 | ||
2040 | return 0; | |
2041 | }); | |
2042 | ||
2043 | vector<DNSRecord> ret; | |
2044 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
2045 | BOOST_CHECK_EQUAL(res, RCode::NXDomain); | |
2046 | BOOST_CHECK_EQUAL(ret.size(), 2); | |
2047 | /* no negative cache entry because the response was variable */ | |
a712cb56 | 2048 | BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 0); |
f58c8379 RG |
2049 | } |
2050 | ||
d6e797b8 RG |
2051 | BOOST_AUTO_TEST_CASE(test_ns_speed) { |
2052 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2053 | initSR(sr); |
30ee601a | 2054 | |
d6e797b8 | 2055 | primeHints(); |
30ee601a | 2056 | |
d6e797b8 | 2057 | const DNSName target("powerdns.com."); |
30ee601a | 2058 | |
d6e797b8 | 2059 | std::map<ComboAddress, uint64_t> nsCounts; |
30ee601a | 2060 | |
0bd2e252 | 2061 | sr->setAsyncCallback([target,&nsCounts](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
30ee601a | 2062 | |
d6e797b8 | 2063 | if (isRootServer(ip)) { |
8455425c | 2064 | setLWResult(res, 0, false, false, true); |
d6e797b8 RG |
2065 | addRecordToLW(res, domain, QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); |
2066 | addRecordToLW(res, domain, QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); | |
2067 | addRecordToLW(res, domain, QType::NS, "pdns-public-ns3.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); | |
30ee601a | 2068 | |
d6e797b8 RG |
2069 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); |
2070 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600); | |
2071 | addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
2072 | addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 3600); | |
2073 | addRecordToLW(res, "pdns-public-ns3.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 3600); | |
2074 | addRecordToLW(res, "pdns-public-ns3.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 3600); | |
30ee601a | 2075 | |
d6e797b8 RG |
2076 | return 1; |
2077 | } else { | |
2078 | nsCounts[ip]++; | |
30ee601a | 2079 | |
d6e797b8 RG |
2080 | if (ip == ComboAddress("[2001:DB8::2]:53") || ip == ComboAddress("192.0.2.2:53")) { |
2081 | BOOST_CHECK_LT(nsCounts.size(), 3); | |
2082 | ||
2083 | /* let's time out on pdns-public-ns2.powerdns.com. */ | |
2084 | return 0; | |
2085 | } | |
2086 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
2087 | BOOST_CHECK_EQUAL(nsCounts.size(), 3); | |
2088 | ||
2089 | setLWResult(res, 0, true, false, true); | |
2090 | addRecordToLW(res, domain, QType::A, "192.0.2.254"); | |
2091 | return 1; | |
2092 | } | |
2093 | ||
2094 | return 0; | |
2095 | } | |
30ee601a | 2096 | |
d6e797b8 RG |
2097 | return 0; |
2098 | }); | |
30ee601a | 2099 | |
606accb0 | 2100 | struct timeval now = sr->getNow(); |
30ee601a | 2101 | |
d6e797b8 RG |
2102 | /* make pdns-public-ns2.powerdns.com. the fastest NS, with its IPv6 address faster than the IPV4 one, |
2103 | then pdns-public-ns1.powerdns.com. on IPv4 */ | |
a712cb56 RG |
2104 | SyncRes::submitNSSpeed(DNSName("pdns-public-ns1.powerdns.com."), ComboAddress("192.0.2.1:53"), 100, &now); |
2105 | SyncRes::submitNSSpeed(DNSName("pdns-public-ns1.powerdns.com."), ComboAddress("[2001:DB8::1]:53"), 10000, &now); | |
2106 | SyncRes::submitNSSpeed(DNSName("pdns-public-ns2.powerdns.com."), ComboAddress("192.0.2.2:53"), 10, &now); | |
2107 | SyncRes::submitNSSpeed(DNSName("pdns-public-ns2.powerdns.com."), ComboAddress("[2001:DB8::2]:53"), 1, &now); | |
2108 | SyncRes::submitNSSpeed(DNSName("pdns-public-ns3.powerdns.com."), ComboAddress("192.0.2.3:53"), 10000, &now); | |
2109 | SyncRes::submitNSSpeed(DNSName("pdns-public-ns3.powerdns.com."), ComboAddress("[2001:DB8::3]:53"), 10000, &now); | |
30ee601a | 2110 | |
d6e797b8 RG |
2111 | vector<DNSRecord> ret; |
2112 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 2113 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
d6e797b8 RG |
2114 | BOOST_CHECK_EQUAL(ret.size(), 1); |
2115 | BOOST_CHECK_EQUAL(nsCounts.size(), 3); | |
2116 | BOOST_CHECK_EQUAL(nsCounts[ComboAddress("192.0.2.1:53")], 1); | |
2117 | BOOST_CHECK_EQUAL(nsCounts[ComboAddress("192.0.2.2:53")], 1); | |
2118 | BOOST_CHECK_EQUAL(nsCounts[ComboAddress("[2001:DB8::2]:53")], 1); | |
2119 | } | |
30ee601a | 2120 | |
d6e797b8 RG |
2121 | BOOST_AUTO_TEST_CASE(test_flawed_nsset) { |
2122 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2123 | initSR(sr); |
30ee601a | 2124 | |
d6e797b8 | 2125 | primeHints(); |
30ee601a | 2126 | |
d6e797b8 | 2127 | const DNSName target("powerdns.com."); |
30ee601a | 2128 | |
0bd2e252 | 2129 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
2130 | |
2131 | if (isRootServer(ip)) { | |
8455425c | 2132 | setLWResult(res, 0, false, false, true); |
d6e797b8 RG |
2133 | addRecordToLW(res, domain, QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); |
2134 | ||
2135 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
2136 | ||
2137 | return 1; | |
2138 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
2139 | setLWResult(res, 0, true, false, true); | |
2140 | addRecordToLW(res, domain, QType::A, "192.0.2.254"); | |
2141 | return 1; | |
2142 | } | |
2143 | ||
2144 | return 0; | |
2145 | }); | |
2146 | ||
2147 | /* we populate the cache with a flawed NSset, i.e. there is a NS entry but no corresponding glue */ | |
a66eacd6 | 2148 | time_t now = sr->getNow().tv_sec; |
d6e797b8 RG |
2149 | std::vector<DNSRecord> records; |
2150 | std::vector<shared_ptr<RRSIGRecordContent> > sigs; | |
2151 | addRecordToList(records, target, QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, now + 3600); | |
2152 | ||
2b984251 | 2153 | t_RC->replace(now, target, QType(QType::NS), records, sigs, vector<std::shared_ptr<DNSRecord>>(), true, boost::optional<Netmask>()); |
d6e797b8 RG |
2154 | |
2155 | vector<DNSRecord> ret; | |
2156 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 2157 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
d6e797b8 RG |
2158 | BOOST_CHECK_EQUAL(ret.size(), 1); |
2159 | } | |
2160 | ||
3337c2f7 RG |
2161 | BOOST_AUTO_TEST_CASE(test_completely_flawed_nsset) { |
2162 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2163 | initSR(sr); |
3337c2f7 RG |
2164 | |
2165 | primeHints(); | |
2166 | ||
2167 | const DNSName target("powerdns.com."); | |
2168 | size_t queriesCount = 0; | |
2169 | ||
0bd2e252 | 2170 | sr->setAsyncCallback([&queriesCount,target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3337c2f7 RG |
2171 | |
2172 | queriesCount++; | |
2173 | ||
2174 | if (isRootServer(ip) && domain == target) { | |
8455425c | 2175 | setLWResult(res, 0, false, false, true); |
3337c2f7 RG |
2176 | addRecordToLW(res, domain, QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); |
2177 | addRecordToLW(res, domain, QType::NS, "pdns-public-ns3.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); | |
2178 | return 1; | |
2179 | } else if (domain == DNSName("pdns-public-ns2.powerdns.com.") || domain == DNSName("pdns-public-ns3.powerdns.com.")){ | |
2180 | setLWResult(res, 0, true, false, true); | |
2181 | addRecordToLW(res, ".", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); | |
2182 | return 1; | |
2183 | } | |
2184 | ||
2185 | return 0; | |
2186 | }); | |
2187 | ||
2188 | vector<DNSRecord> ret; | |
2189 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
2190 | BOOST_CHECK_EQUAL(res, RCode::ServFail); | |
2191 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
2192 | /* one query to get NSs, then A and AAAA for each NS */ | |
2193 | BOOST_CHECK_EQUAL(queriesCount, 5); | |
2194 | } | |
2195 | ||
d6e797b8 RG |
2196 | BOOST_AUTO_TEST_CASE(test_cache_hit) { |
2197 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2198 | initSR(sr); |
d6e797b8 RG |
2199 | |
2200 | primeHints(); | |
2201 | ||
2202 | const DNSName target("powerdns.com."); | |
2203 | ||
0bd2e252 | 2204 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
2205 | |
2206 | return 0; | |
2207 | }); | |
2208 | ||
2209 | /* we populate the cache with eveything we need */ | |
a66eacd6 | 2210 | time_t now = sr->getNow().tv_sec; |
d6e797b8 RG |
2211 | std::vector<DNSRecord> records; |
2212 | std::vector<shared_ptr<RRSIGRecordContent> > sigs; | |
2213 | ||
2214 | addRecordToList(records, target, QType::A, "192.0.2.1", DNSResourceRecord::ANSWER, now + 3600); | |
2b984251 | 2215 | t_RC->replace(now, target , QType(QType::A), records, sigs, vector<std::shared_ptr<DNSRecord>>(), true, boost::optional<Netmask>()); |
d6e797b8 RG |
2216 | |
2217 | vector<DNSRecord> ret; | |
2218 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 2219 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
d6e797b8 RG |
2220 | BOOST_CHECK_EQUAL(ret.size(), 1); |
2221 | } | |
2222 | ||
648bcbd1 RG |
2223 | BOOST_AUTO_TEST_CASE(test_no_rd) { |
2224 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2225 | initSR(sr); |
648bcbd1 RG |
2226 | |
2227 | primeHints(); | |
2228 | ||
2229 | const DNSName target("powerdns.com."); | |
2230 | size_t queriesCount = 0; | |
2231 | ||
2232 | sr->setCacheOnly(); | |
2233 | ||
0bd2e252 | 2234 | sr->setAsyncCallback([target,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
648bcbd1 RG |
2235 | |
2236 | queriesCount++; | |
2237 | return 0; | |
2238 | }); | |
2239 | ||
2240 | vector<DNSRecord> ret; | |
2241 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 2242 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2243 | BOOST_CHECK_EQUAL(ret.size(), 0); |
2244 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2245 | } | |
2246 | ||
d6e797b8 RG |
2247 | BOOST_AUTO_TEST_CASE(test_cache_min_max_ttl) { |
2248 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2249 | initSR(sr); |
d6e797b8 RG |
2250 | |
2251 | primeHints(); | |
2252 | ||
2253 | const DNSName target("cachettl.powerdns.com."); | |
2254 | const ComboAddress ns("192.0.2.1:53"); | |
2255 | ||
0bd2e252 | 2256 | sr->setAsyncCallback([target,ns](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
2257 | |
2258 | if (isRootServer(ip)) { | |
2259 | ||
8455425c | 2260 | setLWResult(res, 0, false, false, true); |
d6e797b8 RG |
2261 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
2262 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 7200); | |
2263 | return 1; | |
2264 | } else if (ip == ns) { | |
2265 | ||
2266 | setLWResult(res, 0, true, false, false); | |
2267 | addRecordToLW(res, domain, QType::A, "192.0.2.2", DNSResourceRecord::ANSWER, 10); | |
2268 | ||
2269 | return 1; | |
2270 | } | |
2271 | ||
2272 | return 0; | |
2273 | }); | |
2274 | ||
a66eacd6 | 2275 | const time_t now = sr->getNow().tv_sec; |
d6e797b8 RG |
2276 | SyncRes::s_minimumTTL = 60; |
2277 | SyncRes::s_maxcachettl = 3600; | |
2278 | ||
2279 | vector<DNSRecord> ret; | |
2280 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 2281 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
d6e797b8 RG |
2282 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
2283 | BOOST_CHECK_EQUAL(ret[0].d_ttl, SyncRes::s_minimumTTL); | |
2284 | ||
2285 | const ComboAddress who; | |
2286 | vector<DNSRecord> cached; | |
24bb9b58 | 2287 | BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0); |
d6e797b8 RG |
2288 | BOOST_REQUIRE_EQUAL(cached.size(), 1); |
2289 | BOOST_REQUIRE_GT(cached[0].d_ttl, now); | |
2290 | BOOST_CHECK_EQUAL((cached[0].d_ttl - now), SyncRes::s_minimumTTL); | |
2291 | ||
2292 | cached.clear(); | |
24bb9b58 | 2293 | BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::NS), false, &cached, who), 0); |
d6e797b8 RG |
2294 | BOOST_REQUIRE_EQUAL(cached.size(), 1); |
2295 | BOOST_REQUIRE_GT(cached[0].d_ttl, now); | |
2296 | BOOST_CHECK_LE((cached[0].d_ttl - now), SyncRes::s_maxcachettl); | |
2297 | } | |
2298 | ||
2299 | BOOST_AUTO_TEST_CASE(test_cache_expired_ttl) { | |
2300 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2301 | initSR(sr); |
d6e797b8 RG |
2302 | |
2303 | primeHints(); | |
2304 | ||
2305 | const DNSName target("powerdns.com."); | |
2306 | ||
0bd2e252 | 2307 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
2308 | |
2309 | if (isRootServer(ip)) { | |
8455425c | 2310 | setLWResult(res, 0, false, false, true); |
d6e797b8 RG |
2311 | addRecordToLW(res, domain, QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); |
2312 | ||
2313 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
2314 | ||
2315 | return 1; | |
2316 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
2317 | setLWResult(res, 0, true, false, true); | |
2318 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
2319 | return 1; | |
2320 | } | |
2321 | ||
2322 | return 0; | |
2323 | }); | |
2324 | ||
2325 | /* we populate the cache with entries that expired 60s ago*/ | |
129e658f RG |
2326 | const time_t now = sr->getNow().tv_sec; |
2327 | ||
d6e797b8 RG |
2328 | std::vector<DNSRecord> records; |
2329 | std::vector<shared_ptr<RRSIGRecordContent> > sigs; | |
2330 | addRecordToList(records, target, QType::A, "192.0.2.42", DNSResourceRecord::ANSWER, now - 60); | |
2331 | ||
2b984251 | 2332 | t_RC->replace(now - 3600, target, QType(QType::A), records, sigs, vector<std::shared_ptr<DNSRecord>>(), true, boost::optional<Netmask>()); |
d6e797b8 RG |
2333 | |
2334 | vector<DNSRecord> ret; | |
2335 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 2336 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
d6e797b8 RG |
2337 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
2338 | BOOST_REQUIRE(ret[0].d_type == QType::A); | |
2339 | BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[0])->getCA().toStringWithPort(), ComboAddress("192.0.2.2").toStringWithPort()); | |
2340 | } | |
2341 | ||
129e658f RG |
2342 | BOOST_AUTO_TEST_CASE(test_cache_auth) { |
2343 | std::unique_ptr<SyncRes> sr; | |
2344 | initSR(sr); | |
2345 | ||
2346 | primeHints(); | |
2347 | ||
2348 | /* the auth server is sending the same answer in answer and additional, | |
2349 | check that we only return one result, and we only cache one too. */ | |
2350 | const DNSName target("cache-auth.powerdns.com."); | |
2351 | ||
0bd2e252 | 2352 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
129e658f RG |
2353 | |
2354 | setLWResult(res, 0, true, false, true); | |
2355 | addRecordToLW(res, domain, QType::A, "192.0.2.2", DNSResourceRecord::ANSWER, 10); | |
2356 | addRecordToLW(res, domain, QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 10); | |
2357 | ||
2358 | return 1; | |
2359 | }); | |
2360 | ||
2361 | const time_t now = sr->getNow().tv_sec; | |
2362 | ||
2363 | vector<DNSRecord> ret; | |
2364 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
2365 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
2366 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
2367 | BOOST_REQUIRE_EQUAL(QType(ret.at(0).d_type).getName(), QType(QType::A).getName()); | |
2368 | BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret.at(0))->getCA().toString(), ComboAddress("192.0.2.2").toString()); | |
2369 | ||
2370 | /* check that we correctly cached only the answer entry, not the additional one */ | |
2371 | const ComboAddress who; | |
2372 | vector<DNSRecord> cached; | |
2373 | BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0); | |
2374 | BOOST_REQUIRE_EQUAL(cached.size(), 1); | |
2375 | BOOST_REQUIRE_EQUAL(QType(cached.at(0).d_type).getName(), QType(QType::A).getName()); | |
2376 | BOOST_CHECK_EQUAL(getRR<ARecordContent>(cached.at(0))->getCA().toString(), ComboAddress("192.0.2.2").toString()); | |
2377 | } | |
2378 | ||
d6e797b8 RG |
2379 | BOOST_AUTO_TEST_CASE(test_delegation_only) { |
2380 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2381 | initSR(sr); |
d6e797b8 RG |
2382 | |
2383 | primeHints(); | |
2384 | ||
2385 | /* Thanks, Verisign */ | |
9065eb05 RG |
2386 | SyncRes::addDelegationOnly(DNSName("com.")); |
2387 | SyncRes::addDelegationOnly(DNSName("net.")); | |
d6e797b8 RG |
2388 | |
2389 | const DNSName target("nx-powerdns.com."); | |
2390 | ||
0bd2e252 | 2391 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
2392 | |
2393 | if (isRootServer(ip)) { | |
8455425c | 2394 | setLWResult(res, 0, false, false, true); |
d6e797b8 RG |
2395 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
2396 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
2397 | return 1; | |
2398 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
2399 | ||
2400 | setLWResult(res, 0, true, false, true); | |
2401 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
2402 | return 1; | |
2403 | } | |
2404 | ||
2405 | return 0; | |
2406 | }); | |
2407 | ||
2408 | vector<DNSRecord> ret; | |
2409 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
2410 | BOOST_CHECK_EQUAL(res, RCode::NXDomain); | |
2411 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
2412 | } | |
2413 | ||
2414 | BOOST_AUTO_TEST_CASE(test_unauth_any) { | |
2415 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2416 | initSR(sr); |
d6e797b8 RG |
2417 | |
2418 | primeHints(); | |
2419 | ||
2420 | const DNSName target("powerdns.com."); | |
2421 | ||
0bd2e252 | 2422 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
2423 | |
2424 | if (isRootServer(ip)) { | |
8455425c | 2425 | setLWResult(res, 0, false, false, true); |
d6e797b8 RG |
2426 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
2427 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
2428 | return 1; | |
2429 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
2430 | ||
2431 | setLWResult(res, 0, false, false, true); | |
2432 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
2433 | return 1; | |
2434 | } | |
2435 | ||
2436 | return 0; | |
2437 | }); | |
2438 | ||
2439 | vector<DNSRecord> ret; | |
2440 | int res = sr->beginResolve(target, QType(QType::ANY), QClass::IN, ret); | |
2441 | BOOST_CHECK_EQUAL(res, RCode::ServFail); | |
2442 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
2443 | } | |
2444 | ||
2445 | BOOST_AUTO_TEST_CASE(test_no_data) { | |
2446 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2447 | initSR(sr); |
d6e797b8 RG |
2448 | |
2449 | primeHints(); | |
2450 | ||
2451 | const DNSName target("powerdns.com."); | |
2452 | ||
0bd2e252 | 2453 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
2454 | |
2455 | setLWResult(res, 0, true, false, true); | |
2456 | return 1; | |
2457 | }); | |
2458 | ||
2459 | vector<DNSRecord> ret; | |
2460 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 2461 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
d6e797b8 RG |
2462 | BOOST_CHECK_EQUAL(ret.size(), 0); |
2463 | } | |
2464 | ||
2465 | BOOST_AUTO_TEST_CASE(test_skip_opt_any) { | |
2466 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2467 | initSR(sr); |
d6e797b8 RG |
2468 | |
2469 | primeHints(); | |
2470 | ||
2471 | const DNSName target("powerdns.com."); | |
2472 | ||
0bd2e252 | 2473 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
2474 | |
2475 | setLWResult(res, 0, true, false, true); | |
2476 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
2477 | addRecordToLW(res, domain, QType::ANY, "0 0"); | |
2478 | addRecordToLW(res, domain, QType::OPT, ""); | |
2479 | return 1; | |
2480 | }); | |
2481 | ||
2482 | vector<DNSRecord> ret; | |
2483 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 2484 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
d6e797b8 RG |
2485 | BOOST_CHECK_EQUAL(ret.size(), 1); |
2486 | } | |
2487 | ||
2488 | BOOST_AUTO_TEST_CASE(test_nodata_nsec_nodnssec) { | |
2489 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2490 | initSR(sr); |
d6e797b8 RG |
2491 | |
2492 | primeHints(); | |
2493 | ||
2494 | const DNSName target("powerdns.com."); | |
2495 | ||
0bd2e252 | 2496 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
2497 | |
2498 | setLWResult(res, 0, true, false, true); | |
2499 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
2500 | /* the NSEC and RRSIG contents are complete garbage, please ignore them */ | |
2501 | addRecordToLW(res, domain, QType::NSEC, "deadbeef", DNSResourceRecord::AUTHORITY); | |
2b984251 | 2502 | addRecordToLW(res, domain, QType::RRSIG, "NSEC 5 2 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY); |
d6e797b8 RG |
2503 | addRecordToLW(res, domain, QType::RRSIG, "SOA 5 3 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY); |
2504 | return 1; | |
2505 | }); | |
2506 | ||
2507 | vector<DNSRecord> ret; | |
2508 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 2509 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
d6e797b8 RG |
2510 | BOOST_CHECK_EQUAL(ret.size(), 1); |
2511 | } | |
2512 | ||
2513 | BOOST_AUTO_TEST_CASE(test_nodata_nsec_dnssec) { | |
2514 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2515 | initSR(sr, true); |
d6e797b8 RG |
2516 | |
2517 | primeHints(); | |
2518 | ||
2519 | const DNSName target("powerdns.com."); | |
2520 | ||
0bd2e252 | 2521 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
2522 | |
2523 | setLWResult(res, 0, true, false, true); | |
2524 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
2525 | /* the NSEC and RRSIG contents are complete garbage, please ignore them */ | |
2526 | addRecordToLW(res, domain, QType::NSEC, "deadbeef", DNSResourceRecord::AUTHORITY); | |
2b984251 | 2527 | addRecordToLW(res, domain, QType::RRSIG, "NSEC 5 2 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY); |
d6e797b8 RG |
2528 | addRecordToLW(res, domain, QType::RRSIG, "SOA 5 3 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY); |
2529 | return 1; | |
2530 | }); | |
2531 | ||
2532 | vector<DNSRecord> ret; | |
2533 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 2534 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
d6e797b8 RG |
2535 | BOOST_CHECK_EQUAL(ret.size(), 4); |
2536 | } | |
2537 | ||
2538 | BOOST_AUTO_TEST_CASE(test_nx_nsec_nodnssec) { | |
2539 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2540 | initSR(sr); |
d6e797b8 RG |
2541 | |
2542 | primeHints(); | |
2543 | ||
2544 | const DNSName target("powerdns.com."); | |
2545 | ||
0bd2e252 | 2546 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
2547 | |
2548 | setLWResult(res, RCode::NXDomain, true, false, true); | |
2549 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
2550 | /* the NSEC and RRSIG contents are complete garbage, please ignore them */ | |
2551 | addRecordToLW(res, domain, QType::NSEC, "deadbeef", DNSResourceRecord::AUTHORITY); | |
2b984251 | 2552 | addRecordToLW(res, domain, QType::RRSIG, "NSEC 5 2 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY); |
d6e797b8 RG |
2553 | addRecordToLW(res, domain, QType::RRSIG, "SOA 5 3 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY); |
2554 | return 1; | |
2555 | }); | |
2556 | ||
2557 | vector<DNSRecord> ret; | |
2558 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
2559 | BOOST_CHECK_EQUAL(res, RCode::NXDomain); | |
2560 | BOOST_CHECK_EQUAL(ret.size(), 1); | |
2561 | } | |
2562 | ||
2563 | BOOST_AUTO_TEST_CASE(test_nx_nsec_dnssec) { | |
2564 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2565 | initSR(sr, true); |
d6e797b8 RG |
2566 | |
2567 | primeHints(); | |
2568 | ||
2569 | const DNSName target("powerdns.com."); | |
2570 | ||
0bd2e252 | 2571 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
d6e797b8 RG |
2572 | |
2573 | setLWResult(res, RCode::NXDomain, true, false, true); | |
2574 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
2575 | /* the NSEC and RRSIG contents are complete garbage, please ignore them */ | |
2576 | addRecordToLW(res, domain, QType::NSEC, "deadbeef", DNSResourceRecord::AUTHORITY); | |
2b984251 | 2577 | addRecordToLW(res, domain, QType::RRSIG, "NSEC 5 2 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY); |
d6e797b8 RG |
2578 | addRecordToLW(res, domain, QType::RRSIG, "SOA 5 3 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY); |
2579 | return 1; | |
2580 | }); | |
2581 | ||
2582 | vector<DNSRecord> ret; | |
2583 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
2584 | BOOST_CHECK_EQUAL(res, RCode::NXDomain); | |
2585 | BOOST_CHECK_EQUAL(ret.size(), 4); | |
2586 | } | |
2587 | ||
648bcbd1 RG |
2588 | BOOST_AUTO_TEST_CASE(test_qclass_none) { |
2589 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2590 | initSR(sr); |
648bcbd1 RG |
2591 | |
2592 | primeHints(); | |
2593 | ||
2594 | /* apart from special names and QClass::ANY, anything else than QClass::IN should be rejected right away */ | |
2595 | size_t queriesCount = 0; | |
2596 | ||
0bd2e252 | 2597 | sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
648bcbd1 RG |
2598 | |
2599 | queriesCount++; | |
2600 | return 0; | |
2601 | }); | |
2602 | ||
2603 | const DNSName target("powerdns.com."); | |
2604 | vector<DNSRecord> ret; | |
2605 | int res = sr->beginResolve(target, QType(QType::A), QClass::NONE, ret); | |
2606 | BOOST_CHECK_EQUAL(res, -1); | |
2607 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
2608 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2609 | } | |
2610 | ||
70ea0c65 RG |
2611 | BOOST_AUTO_TEST_CASE(test_answer_no_aa) { |
2612 | std::unique_ptr<SyncRes> sr; | |
2613 | initSR(sr, true); | |
2614 | ||
2615 | primeHints(); | |
2616 | ||
2617 | const DNSName target("powerdns.com."); | |
2618 | ||
2619 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { | |
2620 | ||
2621 | setLWResult(res, 0, false, false, true); | |
2622 | addRecordToLW(res, domain, QType::A, "192.0.2.1"); | |
2623 | return 1; | |
2624 | }); | |
2625 | ||
2626 | const time_t now = sr->getNow().tv_sec; | |
2627 | ||
2628 | vector<DNSRecord> ret; | |
2629 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
2630 | BOOST_CHECK_EQUAL(res, RCode::ServFail); | |
2631 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
2632 | ||
2633 | /* check that the record in the answer section has not been cached */ | |
2634 | const ComboAddress who; | |
2635 | vector<DNSRecord> cached; | |
2636 | vector<std::shared_ptr<RRSIGRecordContent>> signatures; | |
2637 | BOOST_REQUIRE_EQUAL(t_RC->get(now, target, QType(QType::A), false, &cached, who, &signatures), -1); | |
2638 | } | |
2639 | ||
1f03b691 | 2640 | BOOST_AUTO_TEST_CASE(test_special_types) { |
648bcbd1 | 2641 | std::unique_ptr<SyncRes> sr; |
895449a5 | 2642 | initSR(sr); |
648bcbd1 RG |
2643 | |
2644 | primeHints(); | |
2645 | ||
1f03b691 | 2646 | /* {A,I}XFR, RRSIG and NSEC3 should be rejected right away */ |
648bcbd1 RG |
2647 | size_t queriesCount = 0; |
2648 | ||
0bd2e252 | 2649 | sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
648bcbd1 RG |
2650 | |
2651 | cerr<<"asyncresolve called to ask "<<ip.toStringWithPort()<<" about "<<domain.toString()<<" / "<<QType(type).getName()<<" over "<<(doTCP ? "TCP" : "UDP")<<" (rd: "<<sendRDQuery<<", EDNS0 level: "<<EDNS0Level<<")"<<endl; | |
2652 | queriesCount++; | |
2653 | return 0; | |
2654 | }); | |
2655 | ||
2656 | const DNSName target("powerdns.com."); | |
2657 | vector<DNSRecord> ret; | |
2658 | int res = sr->beginResolve(target, QType(QType::AXFR), QClass::IN, ret); | |
2659 | BOOST_CHECK_EQUAL(res, -1); | |
2660 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
2661 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2662 | ||
2663 | res = sr->beginResolve(target, QType(QType::IXFR), QClass::IN, ret); | |
2664 | BOOST_CHECK_EQUAL(res, -1); | |
2665 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
2666 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
1f03b691 RG |
2667 | |
2668 | res = sr->beginResolve(target, QType(QType::RRSIG), QClass::IN, ret); | |
2669 | BOOST_CHECK_EQUAL(res, -1); | |
2670 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
2671 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2672 | ||
2673 | res = sr->beginResolve(target, QType(QType::NSEC3), QClass::IN, ret); | |
648bcbd1 RG |
2674 | BOOST_CHECK_EQUAL(res, -1); |
2675 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
2676 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2677 | } | |
2678 | ||
2679 | BOOST_AUTO_TEST_CASE(test_special_names) { | |
2680 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2681 | initSR(sr); |
648bcbd1 RG |
2682 | |
2683 | primeHints(); | |
2684 | ||
2685 | /* special names should be handled internally */ | |
2686 | ||
2687 | size_t queriesCount = 0; | |
2688 | ||
0bd2e252 | 2689 | sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
648bcbd1 RG |
2690 | |
2691 | queriesCount++; | |
2692 | return 0; | |
2693 | }); | |
2694 | ||
2695 | vector<DNSRecord> ret; | |
2696 | int res = sr->beginResolve(DNSName("1.0.0.127.in-addr.arpa."), QType(QType::PTR), QClass::IN, ret); | |
b7f378d1 | 2697 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2698 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
2699 | BOOST_CHECK(ret[0].d_type == QType::PTR); | |
2700 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2701 | ||
2702 | ret.clear(); | |
2703 | res = sr->beginResolve(DNSName("1.0.0.127.in-addr.arpa."), QType(QType::ANY), QClass::IN, ret); | |
b7f378d1 | 2704 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2705 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
2706 | BOOST_CHECK(ret[0].d_type == QType::PTR); | |
2707 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2708 | ||
2709 | ret.clear(); | |
2710 | res = sr->beginResolve(DNSName("1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."), QType(QType::PTR), QClass::IN, ret); | |
b7f378d1 | 2711 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2712 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
2713 | BOOST_CHECK(ret[0].d_type == QType::PTR); | |
2714 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2715 | ||
2716 | ret.clear(); | |
2717 | res = sr->beginResolve(DNSName("1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."), QType(QType::ANY), QClass::IN, ret); | |
b7f378d1 | 2718 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2719 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
2720 | BOOST_CHECK(ret[0].d_type == QType::PTR); | |
2721 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2722 | ||
2723 | ret.clear(); | |
2724 | res = sr->beginResolve(DNSName("localhost."), QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 2725 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2726 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
2727 | BOOST_CHECK(ret[0].d_type == QType::A); | |
2728 | BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[0])->getCA().toString(), "127.0.0.1"); | |
2729 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2730 | ||
2731 | ret.clear(); | |
2732 | res = sr->beginResolve(DNSName("localhost."), QType(QType::AAAA), QClass::IN, ret); | |
b7f378d1 | 2733 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2734 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
2735 | BOOST_CHECK(ret[0].d_type == QType::AAAA); | |
2736 | BOOST_CHECK_EQUAL(getRR<AAAARecordContent>(ret[0])->getCA().toString(), "::1"); | |
2737 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2738 | ||
2739 | ret.clear(); | |
2740 | res = sr->beginResolve(DNSName("localhost."), QType(QType::ANY), QClass::IN, ret); | |
b7f378d1 | 2741 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2742 | BOOST_REQUIRE_EQUAL(ret.size(), 2); |
2743 | for (const auto& rec : ret) { | |
2744 | BOOST_REQUIRE((rec.d_type == QType::A) || rec.d_type == QType::AAAA); | |
2745 | if (rec.d_type == QType::A) { | |
2746 | BOOST_CHECK_EQUAL(getRR<ARecordContent>(rec)->getCA().toString(), "127.0.0.1"); | |
2747 | } | |
2748 | else { | |
2749 | BOOST_CHECK_EQUAL(getRR<AAAARecordContent>(rec)->getCA().toString(), "::1"); | |
2750 | } | |
2751 | } | |
2752 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2753 | ||
2754 | ret.clear(); | |
2755 | res = sr->beginResolve(DNSName("version.bind."), QType(QType::TXT), QClass::CHAOS, ret); | |
b7f378d1 | 2756 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2757 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
2758 | BOOST_CHECK(ret[0].d_type == QType::TXT); | |
2759 | BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests\""); | |
2760 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2761 | ||
2762 | ret.clear(); | |
2763 | res = sr->beginResolve(DNSName("version.bind."), QType(QType::ANY), QClass::CHAOS, ret); | |
b7f378d1 | 2764 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2765 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
2766 | BOOST_CHECK(ret[0].d_type == QType::TXT); | |
2767 | BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests\""); | |
2768 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2769 | ||
2770 | ret.clear(); | |
2771 | res = sr->beginResolve(DNSName("version.pdns."), QType(QType::TXT), QClass::CHAOS, ret); | |
b7f378d1 | 2772 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2773 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
2774 | BOOST_CHECK(ret[0].d_type == QType::TXT); | |
2775 | BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests\""); | |
2776 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2777 | ||
2778 | ret.clear(); | |
2779 | res = sr->beginResolve(DNSName("version.pdns."), QType(QType::ANY), QClass::CHAOS, ret); | |
b7f378d1 | 2780 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2781 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
2782 | BOOST_CHECK(ret[0].d_type == QType::TXT); | |
2783 | BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests\""); | |
2784 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2785 | ||
2786 | ret.clear(); | |
2787 | res = sr->beginResolve(DNSName("id.server."), QType(QType::TXT), QClass::CHAOS, ret); | |
b7f378d1 | 2788 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2789 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
2790 | BOOST_CHECK(ret[0].d_type == QType::TXT); | |
2791 | BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests Server ID\""); | |
2792 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2793 | ||
2794 | ret.clear(); | |
2795 | res = sr->beginResolve(DNSName("id.server."), QType(QType::ANY), QClass::CHAOS, ret); | |
b7f378d1 | 2796 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2797 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
2798 | BOOST_CHECK(ret[0].d_type == QType::TXT); | |
2799 | BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests Server ID\""); | |
2800 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
2801 | } | |
2802 | ||
2803 | BOOST_AUTO_TEST_CASE(test_nameserver_ipv4_rpz) { | |
2804 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2805 | initSR(sr); |
648bcbd1 RG |
2806 | |
2807 | primeHints(); | |
2808 | ||
2809 | const DNSName target("rpz.powerdns.com."); | |
2810 | const ComboAddress ns("192.0.2.1:53"); | |
2811 | ||
0bd2e252 | 2812 | sr->setAsyncCallback([target,ns](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
648bcbd1 RG |
2813 | |
2814 | if (isRootServer(ip)) { | |
8455425c | 2815 | setLWResult(res, false, true, false, true); |
648bcbd1 RG |
2816 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
2817 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600); | |
2818 | return 1; | |
2819 | } else if (ip == ns) { | |
2820 | ||
2821 | setLWResult(res, 0, true, false, true); | |
2822 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
2823 | return 1; | |
2824 | } | |
2825 | ||
2826 | return 0; | |
2827 | }); | |
2828 | ||
2829 | DNSFilterEngine::Policy pol; | |
2830 | pol.d_kind = DNSFilterEngine::PolicyKind::Drop; | |
6b972d59 RG |
2831 | std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>(); |
2832 | zone->setName("Unit test policy 0"); | |
6da513b2 | 2833 | zone->addNSIPTrigger(Netmask(ns, 32), std::move(pol)); |
648bcbd1 | 2834 | auto luaconfsCopy = g_luaconfs.getCopy(); |
6b972d59 | 2835 | luaconfsCopy.dfe.addZone(zone); |
648bcbd1 RG |
2836 | g_luaconfs.setState(luaconfsCopy); |
2837 | ||
2838 | vector<DNSRecord> ret; | |
2839 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
2840 | BOOST_CHECK_EQUAL(res, -2); | |
2841 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
2842 | } | |
2843 | ||
2844 | BOOST_AUTO_TEST_CASE(test_nameserver_ipv6_rpz) { | |
2845 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2846 | initSR(sr); |
648bcbd1 RG |
2847 | |
2848 | primeHints(); | |
2849 | ||
2850 | const DNSName target("rpz.powerdns.com."); | |
2851 | const ComboAddress ns("[2001:DB8::42]:53"); | |
2852 | ||
0bd2e252 | 2853 | sr->setAsyncCallback([target,ns](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
648bcbd1 RG |
2854 | |
2855 | if (isRootServer(ip)) { | |
8455425c | 2856 | setLWResult(res, 0, false, false, true); |
648bcbd1 RG |
2857 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); |
2858 | addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600); | |
2859 | return 1; | |
2860 | } else if (ip == ns) { | |
2861 | ||
2862 | setLWResult(res, 0, true, false, true); | |
2863 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
2864 | return 1; | |
2865 | } | |
2866 | ||
2867 | return 0; | |
2868 | }); | |
2869 | ||
2870 | DNSFilterEngine::Policy pol; | |
2871 | pol.d_kind = DNSFilterEngine::PolicyKind::Drop; | |
6b972d59 RG |
2872 | std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>(); |
2873 | zone->setName("Unit test policy 0"); | |
6da513b2 | 2874 | zone->addNSIPTrigger(Netmask(ns, 128), std::move(pol)); |
648bcbd1 | 2875 | auto luaconfsCopy = g_luaconfs.getCopy(); |
6b972d59 | 2876 | luaconfsCopy.dfe.addZone(zone); |
648bcbd1 RG |
2877 | g_luaconfs.setState(luaconfsCopy); |
2878 | ||
2879 | vector<DNSRecord> ret; | |
2880 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
2881 | BOOST_CHECK_EQUAL(res, -2); | |
2882 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
2883 | } | |
2884 | ||
2885 | BOOST_AUTO_TEST_CASE(test_nameserver_name_rpz) { | |
2886 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2887 | initSR(sr); |
648bcbd1 RG |
2888 | |
2889 | primeHints(); | |
2890 | ||
2891 | const DNSName target("rpz.powerdns.com."); | |
2892 | const ComboAddress ns("192.0.2.1:53"); | |
2893 | const DNSName nsName("ns1.powerdns.com."); | |
2894 | ||
0bd2e252 | 2895 | sr->setAsyncCallback([target,ns,nsName](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
648bcbd1 RG |
2896 | |
2897 | if (isRootServer(ip)) { | |
8455425c | 2898 | setLWResult(res, 0, false, false, true); |
648bcbd1 RG |
2899 | addRecordToLW(res, domain, QType::NS, nsName.toString(), DNSResourceRecord::AUTHORITY, 172800); |
2900 | addRecordToLW(res, nsName, QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600); | |
2901 | return 1; | |
2902 | } else if (ip == ns) { | |
2903 | ||
2904 | setLWResult(res, 0, true, false, true); | |
2905 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
2906 | return 1; | |
2907 | } | |
2908 | ||
2909 | return 0; | |
2910 | }); | |
2911 | ||
2912 | DNSFilterEngine::Policy pol; | |
2913 | pol.d_kind = DNSFilterEngine::PolicyKind::Drop; | |
6b972d59 RG |
2914 | std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>(); |
2915 | zone->setName("Unit test policy 0"); | |
6da513b2 | 2916 | zone->addNSTrigger(nsName, std::move(pol)); |
648bcbd1 | 2917 | auto luaconfsCopy = g_luaconfs.getCopy(); |
6b972d59 | 2918 | luaconfsCopy.dfe.addZone(zone); |
648bcbd1 RG |
2919 | g_luaconfs.setState(luaconfsCopy); |
2920 | ||
2921 | vector<DNSRecord> ret; | |
2922 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
2923 | BOOST_CHECK_EQUAL(res, -2); | |
2924 | BOOST_CHECK_EQUAL(ret.size(), 0); | |
2925 | } | |
2926 | ||
2927 | BOOST_AUTO_TEST_CASE(test_nameserver_name_rpz_disabled) { | |
2928 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2929 | initSR(sr); |
648bcbd1 RG |
2930 | |
2931 | primeHints(); | |
2932 | ||
2933 | const DNSName target("rpz.powerdns.com."); | |
2934 | const ComboAddress ns("192.0.2.1:53"); | |
2935 | const DNSName nsName("ns1.powerdns.com."); | |
2936 | ||
0bd2e252 | 2937 | sr->setAsyncCallback([target,ns,nsName](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
648bcbd1 RG |
2938 | |
2939 | if (isRootServer(ip)) { | |
8455425c | 2940 | setLWResult(res, 0, false, false, true); |
648bcbd1 RG |
2941 | addRecordToLW(res, domain, QType::NS, nsName.toString(), DNSResourceRecord::AUTHORITY, 172800); |
2942 | addRecordToLW(res, nsName, QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600); | |
2943 | return 1; | |
2944 | } else if (ip == ns) { | |
2945 | ||
2946 | setLWResult(res, 0, true, false, true); | |
2947 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
2948 | return 1; | |
2949 | } | |
2950 | ||
2951 | return 0; | |
2952 | }); | |
2953 | ||
2954 | DNSFilterEngine::Policy pol; | |
2955 | pol.d_kind = DNSFilterEngine::PolicyKind::Drop; | |
6b972d59 RG |
2956 | std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>(); |
2957 | zone->setName("Unit test policy 0"); | |
6da513b2 RG |
2958 | zone->addNSIPTrigger(Netmask(ns, 128), DNSFilterEngine::Policy(pol)); |
2959 | zone->addNSTrigger(nsName, std::move(pol)); | |
648bcbd1 | 2960 | auto luaconfsCopy = g_luaconfs.getCopy(); |
6b972d59 | 2961 | luaconfsCopy.dfe.addZone(zone); |
648bcbd1 RG |
2962 | g_luaconfs.setState(luaconfsCopy); |
2963 | ||
2964 | /* RPZ is disabled for this query, we should not be blocked */ | |
2965 | sr->setWantsRPZ(false); | |
2966 | ||
2967 | vector<DNSRecord> ret; | |
2968 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 2969 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
648bcbd1 RG |
2970 | BOOST_CHECK_EQUAL(ret.size(), 1); |
2971 | } | |
2972 | ||
3e59ff53 RG |
2973 | BOOST_AUTO_TEST_CASE(test_forward_zone_nord) { |
2974 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 2975 | initSR(sr); |
3e59ff53 RG |
2976 | |
2977 | primeHints(); | |
2978 | ||
2979 | const DNSName target("powerdns.com."); | |
2980 | const ComboAddress ns("192.0.2.1:53"); | |
2981 | const ComboAddress forwardedNS("192.0.2.42:53"); | |
2982 | ||
2983 | SyncRes::AuthDomain ad; | |
2984 | ad.d_rdForward = false; | |
2985 | ad.d_servers.push_back(forwardedNS); | |
a712cb56 | 2986 | (*SyncRes::t_sstorage.domainmap)[target] = ad; |
3e59ff53 | 2987 | |
0bd2e252 | 2988 | sr->setAsyncCallback([forwardedNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3e59ff53 RG |
2989 | |
2990 | if (ip == forwardedNS) { | |
6dfff36f RG |
2991 | BOOST_CHECK_EQUAL(sendRDQuery, false); |
2992 | ||
3e59ff53 RG |
2993 | setLWResult(res, 0, true, false, true); |
2994 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
2995 | return 1; | |
2996 | } | |
2997 | ||
2998 | return 0; | |
2999 | }); | |
3000 | ||
3001 | /* simulate a no-RD query */ | |
3002 | sr->setCacheOnly(); | |
3003 | ||
3004 | vector<DNSRecord> ret; | |
3005 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 3006 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
3e59ff53 RG |
3007 | BOOST_CHECK_EQUAL(ret.size(), 1); |
3008 | } | |
3009 | ||
3010 | BOOST_AUTO_TEST_CASE(test_forward_zone_rd) { | |
3011 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 3012 | initSR(sr); |
3e59ff53 RG |
3013 | |
3014 | primeHints(); | |
3015 | ||
3016 | const DNSName target("powerdns.com."); | |
3017 | const ComboAddress ns("192.0.2.1:53"); | |
3018 | const ComboAddress forwardedNS("192.0.2.42:53"); | |
3019 | ||
ad797d94 | 3020 | size_t queriesCount = 0; |
3e59ff53 | 3021 | SyncRes::AuthDomain ad; |
ad797d94 | 3022 | ad.d_rdForward = true; |
3e59ff53 | 3023 | ad.d_servers.push_back(forwardedNS); |
a712cb56 | 3024 | (*SyncRes::t_sstorage.domainmap)[target] = ad; |
3e59ff53 | 3025 | |
0bd2e252 | 3026 | sr->setAsyncCallback([forwardedNS, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
ad797d94 RG |
3027 | |
3028 | queriesCount++; | |
3e59ff53 RG |
3029 | |
3030 | if (ip == forwardedNS) { | |
ad797d94 | 3031 | BOOST_CHECK_EQUAL(sendRDQuery, true); |
6dfff36f | 3032 | |
ad797d94 RG |
3033 | /* set AA=0, we are a recursor */ |
3034 | setLWResult(res, 0, false, false, true); | |
3e59ff53 RG |
3035 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); |
3036 | return 1; | |
3037 | } | |
3038 | ||
3039 | return 0; | |
3040 | }); | |
3041 | ||
3042 | vector<DNSRecord> ret; | |
3043 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 3044 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
3e59ff53 | 3045 | BOOST_CHECK_EQUAL(ret.size(), 1); |
ad797d94 RG |
3046 | BOOST_CHECK_EQUAL(queriesCount, 1); |
3047 | ||
3048 | /* now make sure we can resolve from the cache (see #6340 | |
3049 | where the entries were added to the cache but not retrieved, | |
3050 | because the recursor doesn't set the AA bit and we require | |
3051 | it. We fixed it by not requiring the AA bit for forward-recurse | |
3052 | answers. */ | |
3053 | ret.clear(); | |
3054 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
3055 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
3056 | BOOST_CHECK_EQUAL(ret.size(), 1); | |
3057 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
3e59ff53 RG |
3058 | } |
3059 | ||
3060 | BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_nord) { | |
3061 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 3062 | initSR(sr); |
3e59ff53 RG |
3063 | |
3064 | primeHints(); | |
3065 | ||
3066 | const DNSName target("powerdns.com."); | |
3067 | const ComboAddress ns("192.0.2.1:53"); | |
3068 | const ComboAddress forwardedNS("192.0.2.42:53"); | |
3069 | ||
3070 | SyncRes::AuthDomain ad; | |
3071 | ad.d_rdForward = true; | |
3072 | ad.d_servers.push_back(forwardedNS); | |
a712cb56 | 3073 | (*SyncRes::t_sstorage.domainmap)[target] = ad; |
3e59ff53 | 3074 | |
0bd2e252 | 3075 | sr->setAsyncCallback([forwardedNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3e59ff53 RG |
3076 | |
3077 | if (ip == forwardedNS) { | |
6dfff36f RG |
3078 | BOOST_CHECK_EQUAL(sendRDQuery, false); |
3079 | ||
3e59ff53 RG |
3080 | setLWResult(res, 0, true, false, true); |
3081 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
3082 | return 1; | |
3083 | } | |
3084 | ||
3085 | return 0; | |
3086 | }); | |
3087 | ||
3088 | /* simulate a no-RD query */ | |
3089 | sr->setCacheOnly(); | |
3090 | ||
3091 | vector<DNSRecord> ret; | |
3092 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 3093 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
3e59ff53 RG |
3094 | BOOST_CHECK_EQUAL(ret.size(), 1); |
3095 | } | |
3096 | ||
3097 | BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd) { | |
3098 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 3099 | initSR(sr); |
3e59ff53 RG |
3100 | |
3101 | primeHints(); | |
3102 | ||
3103 | const DNSName target("powerdns.com."); | |
3104 | const ComboAddress ns("192.0.2.1:53"); | |
3105 | const ComboAddress forwardedNS("192.0.2.42:53"); | |
3106 | ||
3107 | SyncRes::AuthDomain ad; | |
3108 | ad.d_rdForward = true; | |
3109 | ad.d_servers.push_back(forwardedNS); | |
a712cb56 | 3110 | (*SyncRes::t_sstorage.domainmap)[target] = ad; |
3e59ff53 | 3111 | |
0bd2e252 | 3112 | sr->setAsyncCallback([forwardedNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3e59ff53 RG |
3113 | |
3114 | if (ip == forwardedNS) { | |
6dfff36f RG |
3115 | BOOST_CHECK_EQUAL(sendRDQuery, true); |
3116 | ||
3e59ff53 RG |
3117 | setLWResult(res, 0, true, false, true); |
3118 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
3119 | return 1; | |
3120 | } | |
3121 | ||
3122 | return 0; | |
3123 | }); | |
3124 | ||
3125 | vector<DNSRecord> ret; | |
3126 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 3127 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
3e59ff53 RG |
3128 | BOOST_CHECK_EQUAL(ret.size(), 1); |
3129 | } | |
3130 | ||
dff3ef07 RG |
3131 | BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec) { |
3132 | std::unique_ptr<SyncRes> sr; | |
3133 | initSR(sr, true); | |
3134 | ||
3135 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
3136 | ||
3137 | primeHints(); | |
3138 | /* signed */ | |
3139 | const DNSName target("test."); | |
3140 | /* unsigned */ | |
3141 | const DNSName cnameTarget("cname."); | |
3142 | testkeysset_t keys; | |
3143 | ||
3144 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
3145 | luaconfsCopy.dsAnchors.clear(); | |
3146 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
3147 | generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
3148 | g_luaconfs.setState(luaconfsCopy); | |
3149 | ||
3150 | const ComboAddress forwardedNS("192.0.2.42:53"); | |
3151 | size_t queriesCount = 0; | |
3152 | ||
3153 | SyncRes::AuthDomain ad; | |
3154 | ad.d_rdForward = true; | |
3155 | ad.d_servers.push_back(forwardedNS); | |
3156 | (*SyncRes::t_sstorage.domainmap)[g_rootdnsname] = ad; | |
3157 | ||
3158 | sr->setAsyncCallback([target,cnameTarget,keys,forwardedNS,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { | |
3159 | queriesCount++; | |
3160 | ||
3161 | BOOST_CHECK_EQUAL(sendRDQuery, true); | |
3162 | ||
3163 | if (ip != forwardedNS) { | |
3164 | return 0; | |
3165 | } | |
3166 | ||
3167 | if (type == QType::DS || type == QType::DNSKEY) { | |
3168 | return genericDSAndDNSKEYHandler(res, domain, DNSName("."), type, keys); | |
3169 | } | |
3170 | ||
3171 | if (domain == target && type == QType::A) { | |
3172 | ||
3173 | setLWResult(res, 0, false, false, true); | |
3174 | addRecordToLW(res, target, QType::CNAME, cnameTarget.toString()); | |
3175 | addRRSIG(keys, res->d_records, domain, 300); | |
3176 | addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1"); | |
3177 | ||
3178 | return 1; | |
3179 | } | |
3180 | return 0; | |
3181 | }); | |
3182 | ||
3183 | vector<DNSRecord> ret; | |
3184 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
3185 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
3186 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
3187 | BOOST_REQUIRE_EQUAL(ret.size(), 3); | |
3188 | BOOST_CHECK_EQUAL(queriesCount, 5); | |
3189 | ||
3190 | /* again, to test the cache */ | |
3191 | ret.clear(); | |
3192 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
3193 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
3194 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
3195 | BOOST_REQUIRE_EQUAL(ret.size(), 3); | |
3196 | BOOST_CHECK_EQUAL(queriesCount, 5); | |
3197 | } | |
3198 | ||
3199 | BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec_bogus) { | |
3200 | std::unique_ptr<SyncRes> sr; | |
3201 | initSR(sr, true); | |
3202 | ||
3203 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
3204 | ||
3205 | primeHints(); | |
3206 | /* signed */ | |
3207 | const DNSName target("test."); | |
3208 | /* signed */ | |
3209 | const DNSName cnameTarget("cname."); | |
3210 | testkeysset_t keys; | |
3211 | ||
3212 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
3213 | luaconfsCopy.dsAnchors.clear(); | |
3214 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
3215 | generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
3216 | generateKeyMaterial(cnameTarget, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
3217 | g_luaconfs.setState(luaconfsCopy); | |
3218 | ||
3219 | const ComboAddress forwardedNS("192.0.2.42:53"); | |
3220 | size_t queriesCount = 0; | |
3221 | ||
3222 | SyncRes::AuthDomain ad; | |
3223 | ad.d_rdForward = true; | |
3224 | ad.d_servers.push_back(forwardedNS); | |
3225 | (*SyncRes::t_sstorage.domainmap)[g_rootdnsname] = ad; | |
3226 | ||
3227 | sr->setAsyncCallback([target,cnameTarget,keys,forwardedNS,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { | |
3228 | queriesCount++; | |
3229 | ||
3230 | BOOST_CHECK_EQUAL(sendRDQuery, true); | |
3231 | ||
3232 | if (ip != forwardedNS) { | |
3233 | return 0; | |
3234 | } | |
3235 | ||
3236 | if (type == QType::DS || type == QType::DNSKEY) { | |
3237 | return genericDSAndDNSKEYHandler(res, domain, DNSName("."), type, keys); | |
3238 | } | |
3239 | ||
3240 | if (domain == target && type == QType::A) { | |
3241 | ||
3242 | setLWResult(res, 0, false, false, true); | |
3243 | addRecordToLW(res, target, QType::CNAME, cnameTarget.toString()); | |
3244 | addRRSIG(keys, res->d_records, domain, 300); | |
3245 | addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1"); | |
3246 | /* no RRSIG in a signed zone, Bogus ! */ | |
3247 | ||
3248 | return 1; | |
3249 | } | |
3250 | return 0; | |
3251 | }); | |
3252 | ||
3253 | vector<DNSRecord> ret; | |
3254 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
3255 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
3256 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
3257 | BOOST_REQUIRE_EQUAL(ret.size(), 3); | |
3258 | BOOST_CHECK_EQUAL(queriesCount, 5); | |
3259 | ||
3260 | /* again, to test the cache */ | |
3261 | ret.clear(); | |
3262 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
3263 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
3264 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
3265 | BOOST_REQUIRE_EQUAL(ret.size(), 3); | |
3266 | BOOST_CHECK_EQUAL(queriesCount, 5); | |
3267 | } | |
3268 | ||
6e9d3cae RG |
3269 | BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec_nodata_bogus) { |
3270 | std::unique_ptr<SyncRes> sr; | |
3271 | initSR(sr, true); | |
3272 | ||
3273 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
3274 | ||
3275 | primeHints(); | |
3276 | const DNSName target("powerdns.com."); | |
3277 | testkeysset_t keys; | |
3278 | ||
3279 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
3280 | luaconfsCopy.dsAnchors.clear(); | |
3281 | generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
3282 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
3283 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
3284 | g_luaconfs.setState(luaconfsCopy); | |
3285 | ||
3286 | const ComboAddress forwardedNS("192.0.2.42:53"); | |
3287 | SyncRes::AuthDomain ad; | |
3288 | ad.d_rdForward = true; | |
3289 | ad.d_servers.push_back(forwardedNS); | |
3290 | (*SyncRes::t_sstorage.domainmap)[g_rootdnsname] = ad; | |
3291 | ||
3292 | size_t queriesCount = 0; | |
3293 | ||
3294 | sr->setAsyncCallback([target,forwardedNS,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { | |
3295 | queriesCount++; | |
3296 | ||
3297 | BOOST_CHECK_EQUAL(sendRDQuery, true); | |
3298 | ||
3299 | if (ip != forwardedNS) { | |
3300 | return 0; | |
3301 | } | |
3302 | ||
3303 | if (type == QType::DS || type == QType::DNSKEY) { | |
3304 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
3305 | } | |
3306 | else { | |
3307 | ||
3308 | setLWResult(res, 0, false, false, true); | |
3309 | return 1; | |
3310 | } | |
3311 | ||
3312 | return 0; | |
3313 | }); | |
3314 | ||
3315 | vector<DNSRecord> ret; | |
3316 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
3317 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
3318 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
3319 | BOOST_REQUIRE_EQUAL(ret.size(), 0); | |
3320 | /* com|NS, powerdns.com|NS, powerdns.com|A */ | |
3321 | BOOST_CHECK_EQUAL(queriesCount, 3); | |
3322 | ||
3323 | /* again, to test the cache */ | |
3324 | ret.clear(); | |
3325 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
3326 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
3327 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
3328 | BOOST_REQUIRE_EQUAL(ret.size(), 0); | |
3329 | /* we don't store empty results */ | |
3330 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
3331 | } | |
3332 | ||
e1636f82 | 3333 | BOOST_AUTO_TEST_CASE(test_auth_zone_oob) { |
f79a4e30 | 3334 | std::unique_ptr<SyncRes> sr; |
e1636f82 | 3335 | initSR(sr, true); |
f79a4e30 RG |
3336 | |
3337 | primeHints(); | |
3338 | ||
3339 | size_t queriesCount = 0; | |
3340 | const DNSName target("test.xx."); | |
3341 | const ComboAddress targetAddr("127.0.0.1"); | |
f79a4e30 RG |
3342 | const DNSName authZone("test.xx"); |
3343 | ||
3344 | SyncRes::AuthDomain ad; | |
3345 | DNSRecord dr; | |
f79a4e30 RG |
3346 | |
3347 | dr.d_place = DNSResourceRecord::ANSWER; | |
e1636f82 | 3348 | dr.d_name = target; |
f79a4e30 RG |
3349 | dr.d_type = QType::A; |
3350 | dr.d_ttl = 1800; | |
e1636f82 | 3351 | dr.d_content = std::make_shared<ARecordContent>(targetAddr); |
f79a4e30 RG |
3352 | ad.d_records.insert(dr); |
3353 | ||
a712cb56 | 3354 | (*SyncRes::t_sstorage.domainmap)[authZone] = ad; |
f79a4e30 | 3355 | |
0bd2e252 | 3356 | sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f79a4e30 RG |
3357 | queriesCount++; |
3358 | return 0; | |
3359 | }); | |
3360 | ||
3361 | vector<DNSRecord> ret; | |
3362 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
3363 | BOOST_CHECK_EQUAL(res, 0); | |
3364 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
3365 | BOOST_CHECK(ret[0].d_type == QType::A); | |
3366 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
3367 | BOOST_CHECK(sr->wasOutOfBand()); | |
e1636f82 | 3368 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); |
f79a4e30 RG |
3369 | |
3370 | /* a second time, to check that the OOB flag is set when the query cache is used */ | |
3371 | ret.clear(); | |
3372 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
3373 | BOOST_CHECK_EQUAL(res, 0); | |
3374 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
3375 | BOOST_CHECK(ret[0].d_type == QType::A); | |
3376 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
3377 | BOOST_CHECK(sr->wasOutOfBand()); | |
e1636f82 RG |
3378 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); |
3379 | ||
3380 | /* a third time, to check that the validation is disabled when the OOB flag is set */ | |
3381 | ret.clear(); | |
3382 | sr->setDNSSECValidationRequested(true); | |
3383 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
3384 | BOOST_CHECK_EQUAL(res, 0); | |
3385 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
3386 | BOOST_CHECK(ret[0].d_type == QType::A); | |
3387 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
3388 | BOOST_CHECK(sr->wasOutOfBand()); | |
3389 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
3390 | } | |
3391 | ||
3392 | BOOST_AUTO_TEST_CASE(test_auth_zone_oob_cname) { | |
3393 | std::unique_ptr<SyncRes> sr; | |
3394 | initSR(sr, true); | |
3395 | ||
3396 | primeHints(); | |
3397 | ||
3398 | size_t queriesCount = 0; | |
3399 | const DNSName target("cname.test.xx."); | |
3400 | const DNSName targetCname("cname-target.test.xx."); | |
3401 | const ComboAddress targetCnameAddr("127.0.0.1"); | |
3402 | const DNSName authZone("test.xx"); | |
3403 | ||
3404 | SyncRes::AuthDomain ad; | |
3405 | DNSRecord dr; | |
3406 | ||
3407 | dr.d_place = DNSResourceRecord::ANSWER; | |
3408 | dr.d_name = target; | |
3409 | dr.d_type = QType::CNAME; | |
3410 | dr.d_ttl = 1800; | |
3411 | dr.d_content = std::make_shared<CNAMERecordContent>(targetCname); | |
3412 | ad.d_records.insert(dr); | |
3413 | ||
3414 | dr.d_place = DNSResourceRecord::ANSWER; | |
3415 | dr.d_name = targetCname; | |
3416 | dr.d_type = QType::A; | |
3417 | dr.d_ttl = 1800; | |
3418 | dr.d_content = std::make_shared<ARecordContent>(targetCnameAddr); | |
3419 | ad.d_records.insert(dr); | |
3420 | ||
3421 | (*SyncRes::t_sstorage.domainmap)[authZone] = ad; | |
3422 | ||
0bd2e252 | 3423 | sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
e1636f82 RG |
3424 | queriesCount++; |
3425 | return 0; | |
3426 | }); | |
3427 | ||
3428 | vector<DNSRecord> ret; | |
3429 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
3430 | BOOST_CHECK_EQUAL(res, 0); | |
3431 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
3432 | BOOST_CHECK(ret[0].d_type == QType::CNAME); | |
3433 | BOOST_CHECK(ret[1].d_type == QType::A); | |
3434 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
3435 | BOOST_CHECK(sr->wasOutOfBand()); | |
3436 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
3437 | ||
3438 | /* a second time, to check that the OOB flag is set when the query cache is used */ | |
3439 | ret.clear(); | |
3440 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
3441 | BOOST_CHECK_EQUAL(res, 0); | |
3442 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
3443 | BOOST_CHECK(ret[0].d_type == QType::CNAME); | |
3444 | BOOST_CHECK(ret[1].d_type == QType::A); | |
3445 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
3446 | BOOST_CHECK(sr->wasOutOfBand()); | |
3447 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
3448 | ||
3449 | /* a third time, to check that the validation is disabled when the OOB flag is set */ | |
3450 | ret.clear(); | |
3451 | sr->setDNSSECValidationRequested(true); | |
3452 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
3453 | BOOST_CHECK_EQUAL(res, 0); | |
3454 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
3455 | BOOST_CHECK(ret[0].d_type == QType::CNAME); | |
3456 | BOOST_CHECK(ret[1].d_type == QType::A); | |
3457 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
3458 | BOOST_CHECK(sr->wasOutOfBand()); | |
3459 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
f79a4e30 RG |
3460 | } |
3461 | ||
3337c2f7 RG |
3462 | BOOST_AUTO_TEST_CASE(test_auth_zone) { |
3463 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 3464 | initSR(sr); |
3337c2f7 RG |
3465 | |
3466 | primeHints(); | |
3467 | ||
3468 | size_t queriesCount = 0; | |
3469 | const DNSName target("powerdns.com."); | |
3470 | const ComboAddress addr("192.0.2.5"); | |
3471 | ||
3472 | SyncRes::AuthDomain ad; | |
3473 | ad.d_name = target; | |
3474 | DNSRecord dr; | |
3475 | dr.d_place = DNSResourceRecord::ANSWER; | |
3476 | dr.d_name = target; | |
3477 | dr.d_type = QType::SOA; | |
3478 | dr.d_ttl = 3600; | |
3479 | dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600"); | |
3480 | ad.d_records.insert(dr); | |
3481 | ||
3482 | dr.d_place = DNSResourceRecord::ANSWER; | |
3483 | dr.d_name = target; | |
3484 | dr.d_type = QType::A; | |
3485 | dr.d_ttl = 3600; | |
3486 | dr.d_content = std::make_shared<ARecordContent>(addr); | |
3487 | ad.d_records.insert(dr); | |
3488 | ||
3489 | auto map = std::make_shared<SyncRes::domainmap_t>(); | |
3490 | (*map)[target] = ad; | |
3491 | SyncRes::setDomainMap(map); | |
3492 | ||
0bd2e252 | 3493 | sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3337c2f7 RG |
3494 | |
3495 | queriesCount++; | |
3496 | setLWResult(res, 0, true, false, true); | |
3497 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
3498 | return 1; | |
3499 | }); | |
3500 | ||
3501 | vector<DNSRecord> ret; | |
3502 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 3503 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
3337c2f7 RG |
3504 | BOOST_CHECK_EQUAL(ret.size(), 1); |
3505 | BOOST_CHECK(ret[0].d_type == QType::A); | |
3506 | BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[0])->getCA().toString(), addr.toString()); | |
3507 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
3508 | } | |
3509 | ||
3510 | BOOST_AUTO_TEST_CASE(test_auth_zone_cname_lead_to_oob) { | |
3511 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 3512 | initSR(sr); |
3337c2f7 RG |
3513 | |
3514 | primeHints(); | |
3515 | ||
3516 | size_t queriesCount = 0; | |
3517 | const DNSName target("powerdns.com."); | |
3518 | const DNSName authZone("internal.powerdns.com."); | |
3519 | const ComboAddress addr("192.0.2.5"); | |
3520 | ||
3521 | SyncRes::AuthDomain ad; | |
3522 | ad.d_name = authZone; | |
3523 | DNSRecord dr; | |
3524 | dr.d_place = DNSResourceRecord::ANSWER; | |
3525 | dr.d_name = authZone; | |
3526 | dr.d_type = QType::SOA; | |
3527 | dr.d_ttl = 3600; | |
3528 | dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600"); | |
3529 | ad.d_records.insert(dr); | |
3530 | ||
3531 | dr.d_place = DNSResourceRecord::ANSWER; | |
3532 | dr.d_name = authZone; | |
3533 | dr.d_type = QType::A; | |
3534 | dr.d_ttl = 3600; | |
3535 | dr.d_content = std::make_shared<ARecordContent>(addr); | |
3536 | ad.d_records.insert(dr); | |
3537 | ||
3538 | auto map = std::make_shared<SyncRes::domainmap_t>(); | |
3539 | (*map)[authZone] = ad; | |
3540 | SyncRes::setDomainMap(map); | |
3541 | ||
0bd2e252 | 3542 | sr->setAsyncCallback([&queriesCount,target,authZone](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3337c2f7 RG |
3543 | |
3544 | queriesCount++; | |
3545 | ||
3546 | if (domain == target) { | |
3547 | setLWResult(res, 0, true, false, true); | |
3548 | addRecordToLW(res, target, QType::CNAME, authZone.toString(), DNSResourceRecord::ANSWER, 3600); | |
3549 | return 1; | |
3550 | } | |
3551 | ||
3552 | return 0; | |
3553 | }); | |
3554 | ||
3555 | vector<DNSRecord> ret; | |
3556 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 3557 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
3337c2f7 RG |
3558 | BOOST_CHECK_EQUAL(ret.size(), 2); |
3559 | BOOST_CHECK(ret[0].d_type == QType::CNAME); | |
3560 | BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[0])->getTarget().toString(), authZone.toString()); | |
3561 | BOOST_CHECK(ret[1].d_type == QType::A); | |
3562 | BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[1])->getCA().toString(), addr.toString()); | |
3563 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
3564 | } | |
3565 | ||
3566 | BOOST_AUTO_TEST_CASE(test_auth_zone_oob_lead_to_outgoing_queryb) { | |
3567 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 3568 | initSR(sr); |
3337c2f7 RG |
3569 | |
3570 | primeHints(); | |
3571 | ||
3572 | size_t queriesCount = 0; | |
3573 | const DNSName target("powerdns.com."); | |
3574 | const DNSName externalCNAME("www.open-xchange.com."); | |
3575 | const ComboAddress addr("192.0.2.5"); | |
3576 | ||
3577 | SyncRes::AuthDomain ad; | |
3578 | ad.d_name = target; | |
3579 | DNSRecord dr; | |
3580 | dr.d_place = DNSResourceRecord::ANSWER; | |
3581 | dr.d_name = target; | |
3582 | dr.d_type = QType::SOA; | |
3583 | dr.d_ttl = 3600; | |
3584 | dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600"); | |
3585 | ad.d_records.insert(dr); | |
3586 | ||
3587 | dr.d_place = DNSResourceRecord::ANSWER; | |
3588 | dr.d_name = target; | |
3589 | dr.d_type = QType::CNAME; | |
3590 | dr.d_ttl = 3600; | |
3591 | dr.d_content = std::make_shared<CNAMERecordContent>(externalCNAME); | |
3592 | ad.d_records.insert(dr); | |
3593 | ||
3594 | auto map = std::make_shared<SyncRes::domainmap_t>(); | |
3595 | (*map)[target] = ad; | |
3596 | SyncRes::setDomainMap(map); | |
3597 | ||
0bd2e252 | 3598 | sr->setAsyncCallback([&queriesCount,externalCNAME,addr](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3337c2f7 RG |
3599 | |
3600 | queriesCount++; | |
3601 | ||
3602 | if (domain == externalCNAME) { | |
3603 | setLWResult(res, 0, true, false, true); | |
3604 | addRecordToLW(res, externalCNAME, QType::A, addr.toString(), DNSResourceRecord::ANSWER, 3600); | |
3605 | return 1; | |
3606 | } | |
3607 | ||
3608 | return 0; | |
3609 | }); | |
3610 | ||
3611 | vector<DNSRecord> ret; | |
3612 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 3613 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
3337c2f7 RG |
3614 | BOOST_CHECK_EQUAL(ret.size(), 2); |
3615 | BOOST_CHECK(ret[0].d_type == QType::CNAME); | |
3616 | BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[0])->getTarget().toString(), externalCNAME.toString()); | |
3617 | BOOST_CHECK(ret[1].d_type == QType::A); | |
3618 | BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[1])->getCA().toString(), addr.toString()); | |
3619 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
3620 | } | |
3621 | ||
3622 | BOOST_AUTO_TEST_CASE(test_auth_zone_nodata) { | |
3623 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 3624 | initSR(sr); |
3337c2f7 RG |
3625 | |
3626 | primeHints(); | |
3627 | ||
3628 | size_t queriesCount = 0; | |
3629 | const DNSName target("nodata.powerdns.com."); | |
3630 | const DNSName authZone("powerdns.com"); | |
3631 | ||
3632 | SyncRes::AuthDomain ad; | |
3633 | ad.d_name = authZone; | |
3634 | DNSRecord dr; | |
3635 | dr.d_place = DNSResourceRecord::ANSWER; | |
3636 | dr.d_name = target; | |
3637 | dr.d_type = QType::A; | |
3638 | dr.d_ttl = 3600; | |
3639 | dr.d_content = std::make_shared<ARecordContent>(ComboAddress("192.0.2.1")); | |
3640 | ad.d_records.insert(dr); | |
3641 | ||
3642 | dr.d_place = DNSResourceRecord::ANSWER; | |
3643 | dr.d_name = authZone; | |
3644 | dr.d_type = QType::SOA; | |
3645 | dr.d_ttl = 3600; | |
3646 | dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600"); | |
3647 | ad.d_records.insert(dr); | |
3648 | ||
3649 | auto map = std::make_shared<SyncRes::domainmap_t>(); | |
3650 | (*map)[authZone] = ad; | |
3651 | SyncRes::setDomainMap(map); | |
3652 | ||
0bd2e252 | 3653 | sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3337c2f7 RG |
3654 | |
3655 | queriesCount++; | |
3656 | ||
3657 | return 0; | |
3658 | }); | |
3659 | ||
3660 | vector<DNSRecord> ret; | |
3661 | int res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret); | |
b7f378d1 | 3662 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
3337c2f7 RG |
3663 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
3664 | BOOST_CHECK(ret[0].d_type == QType::SOA); | |
3665 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
3666 | } | |
3667 | ||
3668 | BOOST_AUTO_TEST_CASE(test_auth_zone_nx) { | |
3669 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 3670 | initSR(sr); |
3337c2f7 RG |
3671 | |
3672 | primeHints(); | |
3673 | ||
3674 | size_t queriesCount = 0; | |
3675 | const DNSName target("nx.powerdns.com."); | |
3676 | const DNSName authZone("powerdns.com"); | |
3677 | ||
3678 | SyncRes::AuthDomain ad; | |
3679 | ad.d_name = authZone; | |
3680 | DNSRecord dr; | |
3681 | dr.d_place = DNSResourceRecord::ANSWER; | |
3682 | dr.d_name = DNSName("powerdns.com."); | |
3683 | dr.d_type = QType::SOA; | |
3684 | dr.d_ttl = 3600; | |
3685 | dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600"); | |
3686 | ad.d_records.insert(dr); | |
3687 | ||
3688 | auto map = std::make_shared<SyncRes::domainmap_t>(); | |
3689 | (*map)[authZone] = ad; | |
3690 | SyncRes::setDomainMap(map); | |
3691 | ||
0bd2e252 | 3692 | sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3337c2f7 RG |
3693 | |
3694 | queriesCount++; | |
3695 | ||
3696 | return 0; | |
3697 | }); | |
3698 | ||
3699 | vector<DNSRecord> ret; | |
3700 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
3701 | BOOST_CHECK_EQUAL(res, RCode::NXDomain); | |
3702 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
3703 | BOOST_CHECK(ret[0].d_type == QType::SOA); | |
3704 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
3705 | } | |
3706 | ||
3707 | BOOST_AUTO_TEST_CASE(test_auth_zone_delegation) { | |
3708 | std::unique_ptr<SyncRes> sr; | |
e1636f82 | 3709 | initSR(sr, true, false); |
3337c2f7 RG |
3710 | |
3711 | primeHints(); | |
3712 | ||
3713 | size_t queriesCount = 0; | |
3714 | const DNSName target("www.test.powerdns.com."); | |
3715 | const ComboAddress targetAddr("192.0.2.2"); | |
3716 | const DNSName ns("ns1.test.powerdns.com."); | |
3717 | const ComboAddress nsAddr("192.0.2.1"); | |
3718 | const DNSName authZone("powerdns.com"); | |
3719 | ||
3720 | SyncRes::AuthDomain ad; | |
3721 | ad.d_name = authZone; | |
3722 | DNSRecord dr; | |
3723 | dr.d_place = DNSResourceRecord::ANSWER; | |
3724 | dr.d_name = authZone; | |
3725 | dr.d_type = QType::SOA; | |
3726 | dr.d_ttl = 3600; | |
3727 | dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600"); | |
3728 | ad.d_records.insert(dr); | |
3729 | ||
3730 | dr.d_place = DNSResourceRecord::ANSWER; | |
3731 | dr.d_name = DNSName("test.powerdns.com."); | |
3732 | dr.d_type = QType::NS; | |
3733 | dr.d_ttl = 3600; | |
3734 | dr.d_content = std::make_shared<NSRecordContent>(ns); | |
3735 | ad.d_records.insert(dr); | |
3736 | ||
3737 | dr.d_place = DNSResourceRecord::ANSWER; | |
3738 | dr.d_name = ns; | |
3739 | dr.d_type = QType::A; | |
3740 | dr.d_ttl = 3600; | |
3741 | dr.d_content = std::make_shared<ARecordContent>(nsAddr); | |
3742 | ad.d_records.insert(dr); | |
3743 | ||
3744 | auto map = std::make_shared<SyncRes::domainmap_t>(); | |
3745 | (*map)[authZone] = ad; | |
3746 | SyncRes::setDomainMap(map); | |
3747 | ||
e1636f82 RG |
3748 | testkeysset_t keys; |
3749 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
3750 | luaconfsCopy.dsAnchors.clear(); | |
3751 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors); | |
3752 | g_luaconfs.setState(luaconfsCopy); | |
3753 | ||
0bd2e252 | 3754 | sr->setAsyncCallback([&queriesCount,target,targetAddr,nsAddr,authZone,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3337c2f7 RG |
3755 | |
3756 | queriesCount++; | |
e1636f82 RG |
3757 | if (type == QType::DS || type == QType::DNSKEY) { |
3758 | return genericDSAndDNSKEYHandler(res, domain, DNSName("."), type, keys, domain == authZone); | |
3759 | } | |
3760 | ||
3337c2f7 RG |
3761 | if (ip == ComboAddress(nsAddr.toString(), 53) && domain == target) { |
3762 | setLWResult(res, 0, true, false, true); | |
3763 | addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); | |
3764 | return 1; | |
3765 | } | |
3766 | ||
3767 | return 0; | |
3768 | }); | |
3769 | ||
e1636f82 | 3770 | sr->setDNSSECValidationRequested(true); |
3337c2f7 RG |
3771 | vector<DNSRecord> ret; |
3772 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 3773 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
3337c2f7 RG |
3774 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
3775 | BOOST_CHECK(ret[0].d_type == QType::A); | |
e1636f82 RG |
3776 | BOOST_CHECK_EQUAL(queriesCount, 4); |
3777 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
3337c2f7 RG |
3778 | } |
3779 | ||
3780 | BOOST_AUTO_TEST_CASE(test_auth_zone_delegation_point) { | |
3781 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 3782 | initSR(sr); |
3337c2f7 RG |
3783 | |
3784 | primeHints(); | |
3785 | ||
3786 | size_t queriesCount = 0; | |
3787 | const DNSName target("test.powerdns.com."); | |
3788 | const ComboAddress targetAddr("192.0.2.2"); | |
3789 | const DNSName ns("ns1.test.powerdns.com."); | |
3790 | const ComboAddress nsAddr("192.0.2.1"); | |
3791 | const DNSName authZone("powerdns.com"); | |
3792 | ||
3793 | SyncRes::AuthDomain ad; | |
3794 | ad.d_name = authZone; | |
3795 | DNSRecord dr; | |
3796 | dr.d_place = DNSResourceRecord::ANSWER; | |
3797 | dr.d_name = authZone; | |
3798 | dr.d_type = QType::SOA; | |
3799 | dr.d_ttl = 3600; | |
3800 | dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600"); | |
3801 | ad.d_records.insert(dr); | |
3802 | ||
3803 | dr.d_place = DNSResourceRecord::ANSWER; | |
3804 | dr.d_name = DNSName("test.powerdns.com."); | |
3805 | dr.d_type = QType::NS; | |
3806 | dr.d_ttl = 3600; | |
3807 | dr.d_content = std::make_shared<NSRecordContent>(ns); | |
3808 | ad.d_records.insert(dr); | |
3809 | ||
3810 | dr.d_place = DNSResourceRecord::ANSWER; | |
3811 | dr.d_name = ns; | |
3812 | dr.d_type = QType::A; | |
3813 | dr.d_ttl = 3600; | |
3814 | dr.d_content = std::make_shared<ARecordContent>(nsAddr); | |
3815 | ad.d_records.insert(dr); | |
3816 | ||
3817 | auto map = std::make_shared<SyncRes::domainmap_t>(); | |
3818 | (*map)[authZone] = ad; | |
3819 | SyncRes::setDomainMap(map); | |
3820 | ||
0bd2e252 | 3821 | sr->setAsyncCallback([&queriesCount,nsAddr,target,targetAddr](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3337c2f7 RG |
3822 | |
3823 | queriesCount++; | |
3824 | ||
3825 | if (ip == ComboAddress(nsAddr.toString(), 53) && domain == target) { | |
3826 | setLWResult(res, 0, true, false, true); | |
3827 | addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); | |
3828 | return 1; | |
3829 | } | |
3830 | ||
3831 | return 0; | |
3832 | }); | |
3833 | ||
3834 | vector<DNSRecord> ret; | |
3835 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 3836 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
3337c2f7 RG |
3837 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
3838 | BOOST_CHECK(ret[0].d_type == QType::A); | |
3839 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
3840 | } | |
3841 | ||
3842 | BOOST_AUTO_TEST_CASE(test_auth_zone_wildcard) { | |
3843 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 3844 | initSR(sr); |
3337c2f7 RG |
3845 | |
3846 | primeHints(); | |
3847 | ||
3848 | size_t queriesCount = 0; | |
3849 | const DNSName target("test.powerdns.com."); | |
3850 | const ComboAddress targetAddr("192.0.2.2"); | |
3851 | const DNSName authZone("powerdns.com"); | |
3852 | ||
3853 | SyncRes::AuthDomain ad; | |
3854 | ad.d_name = authZone; | |
3855 | DNSRecord dr; | |
3856 | dr.d_place = DNSResourceRecord::ANSWER; | |
3857 | dr.d_name = authZone; | |
3858 | dr.d_type = QType::SOA; | |
3859 | dr.d_ttl = 3600; | |
3860 | dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600"); | |
3861 | ad.d_records.insert(dr); | |
3862 | ||
3863 | dr.d_place = DNSResourceRecord::ANSWER; | |
3864 | dr.d_name = DNSName("*.powerdns.com."); | |
3865 | dr.d_type = QType::A; | |
3866 | dr.d_ttl = 3600; | |
3867 | dr.d_content = std::make_shared<ARecordContent>(targetAddr); | |
3868 | ad.d_records.insert(dr); | |
3869 | ||
3870 | auto map = std::make_shared<SyncRes::domainmap_t>(); | |
3871 | (*map)[authZone] = ad; | |
3872 | SyncRes::setDomainMap(map); | |
3873 | ||
0bd2e252 | 3874 | sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3337c2f7 RG |
3875 | |
3876 | queriesCount++; | |
3877 | ||
3878 | return 0; | |
3879 | }); | |
3880 | ||
3881 | vector<DNSRecord> ret; | |
3882 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 3883 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
3337c2f7 RG |
3884 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
3885 | BOOST_CHECK(ret[0].d_type == QType::A); | |
3886 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
3887 | } | |
3888 | ||
3889 | BOOST_AUTO_TEST_CASE(test_auth_zone_wildcard_nodata) { | |
3890 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 3891 | initSR(sr); |
3337c2f7 RG |
3892 | |
3893 | primeHints(); | |
3894 | ||
3895 | size_t queriesCount = 0; | |
3896 | const DNSName target("test.powerdns.com."); | |
3897 | const ComboAddress targetAddr("192.0.2.2"); | |
3898 | const DNSName authZone("powerdns.com"); | |
3899 | ||
3900 | SyncRes::AuthDomain ad; | |
3901 | ad.d_name = authZone; | |
3902 | DNSRecord dr; | |
3903 | dr.d_place = DNSResourceRecord::ANSWER; | |
3904 | dr.d_name = authZone; | |
3905 | dr.d_type = QType::SOA; | |
3906 | dr.d_ttl = 3600; | |
3907 | dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600"); | |
3908 | ad.d_records.insert(dr); | |
3909 | ||
3910 | dr.d_place = DNSResourceRecord::ANSWER; | |
3911 | dr.d_name = DNSName("*.powerdns.com."); | |
3912 | dr.d_type = QType::A; | |
3913 | dr.d_ttl = 3600; | |
3914 | dr.d_content = std::make_shared<ARecordContent>(targetAddr); | |
3915 | ad.d_records.insert(dr); | |
3916 | ||
3917 | auto map = std::make_shared<SyncRes::domainmap_t>(); | |
3918 | (*map)[authZone] = ad; | |
3919 | SyncRes::setDomainMap(map); | |
3920 | ||
0bd2e252 | 3921 | sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3337c2f7 RG |
3922 | |
3923 | queriesCount++; | |
3924 | ||
3925 | return 0; | |
3926 | }); | |
3927 | ||
3928 | vector<DNSRecord> ret; | |
3929 | int res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret); | |
b7f378d1 | 3930 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
3337c2f7 RG |
3931 | BOOST_REQUIRE_EQUAL(ret.size(), 1); |
3932 | BOOST_CHECK(ret[0].d_type == QType::SOA); | |
3933 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
3934 | } | |
3935 | ||
3936 | BOOST_AUTO_TEST_CASE(test_auth_zone_cache_only) { | |
3937 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 3938 | initSR(sr); |
3337c2f7 RG |
3939 | |
3940 | primeHints(); | |
3941 | ||
3942 | size_t queriesCount = 0; | |
3943 | const DNSName target("powerdns.com."); | |
3944 | const ComboAddress addr("192.0.2.5"); | |
3945 | ||
3946 | SyncRes::AuthDomain ad; | |
3947 | ad.d_name = target; | |
3948 | DNSRecord dr; | |
3949 | dr.d_place = DNSResourceRecord::ANSWER; | |
3950 | dr.d_name = target; | |
3951 | dr.d_type = QType::SOA; | |
3952 | dr.d_ttl = 3600; | |
3953 | dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600"); | |
3954 | ad.d_records.insert(dr); | |
3955 | ||
3956 | dr.d_place = DNSResourceRecord::ANSWER; | |
3957 | dr.d_name = target; | |
3958 | dr.d_type = QType::A; | |
3959 | dr.d_ttl = 3600; | |
3960 | dr.d_content = std::make_shared<ARecordContent>(addr); | |
3961 | ad.d_records.insert(dr); | |
3962 | ||
3963 | auto map = std::make_shared<SyncRes::domainmap_t>(); | |
3964 | (*map)[target] = ad; | |
3965 | SyncRes::setDomainMap(map); | |
3966 | ||
0bd2e252 | 3967 | sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3337c2f7 RG |
3968 | |
3969 | queriesCount++; | |
3970 | setLWResult(res, 0, true, false, true); | |
3971 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
3972 | return 1; | |
3973 | }); | |
3974 | ||
3975 | /* simulate a no-RD query */ | |
3976 | sr->setCacheOnly(); | |
3977 | ||
3978 | vector<DNSRecord> ret; | |
3979 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 | 3980 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
3337c2f7 RG |
3981 | BOOST_CHECK_EQUAL(ret.size(), 1); |
3982 | BOOST_CHECK(ret[0].d_type == QType::A); | |
3983 | BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[0])->getCA().toString(), addr.toString()); | |
3984 | BOOST_CHECK_EQUAL(queriesCount, 0); | |
3985 | } | |
3986 | ||
8455425c | 3987 | BOOST_AUTO_TEST_CASE(test_dnssec_rrsig) { |
8455425c RG |
3988 | init(); |
3989 | ||
3990 | auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256)); | |
3991 | dcke->create(dcke->getBits()); | |
3992 | // cerr<<dcke->convertToISC()<<endl; | |
3993 | DNSSECPrivateKey dpk; | |
3994 | dpk.d_flags = 256; | |
3995 | dpk.setKey(dcke); | |
3996 | ||
3997 | std::vector<std::shared_ptr<DNSRecordContent> > recordcontents; | |
3998 | recordcontents.push_back(getRecordContent(QType::A, "192.0.2.1")); | |
3999 | ||
4000 | DNSName qname("powerdns.com."); | |
4001 | ||
179b340d | 4002 | time_t now = time(nullptr); |
8455425c | 4003 | RRSIGRecordContent rrc; |
179b340d RG |
4004 | /* this RRSIG is valid for the current second only */ |
4005 | computeRRSIG(dpk, qname, qname, QType::A, 600, 0, rrc, recordcontents, boost::none, now); | |
8455425c RG |
4006 | |
4007 | skeyset_t keyset; | |
4008 | keyset.insert(std::make_shared<DNSKEYRecordContent>(dpk.getDNSKEY())); | |
4009 | ||
4010 | std::vector<std::shared_ptr<RRSIGRecordContent> > sigs; | |
4011 | sigs.push_back(std::make_shared<RRSIGRecordContent>(rrc)); | |
4012 | ||
179b340d | 4013 | BOOST_CHECK(validateWithKeySet(now, qname, recordcontents, sigs, keyset)); |
8455425c RG |
4014 | } |
4015 | ||
4016 | BOOST_AUTO_TEST_CASE(test_dnssec_root_validation_csk) { | |
4017 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 4018 | initSR(sr, true); |
8455425c | 4019 | |
0c43f455 | 4020 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
8455425c RG |
4021 | |
4022 | primeHints(); | |
4023 | const DNSName target("."); | |
b7f378d1 | 4024 | testkeysset_t keys; |
8455425c RG |
4025 | |
4026 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
4027 | luaconfsCopy.dsAnchors.clear(); | |
4028 | generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
4029 | g_luaconfs.setState(luaconfsCopy); | |
4030 | ||
4031 | size_t queriesCount = 0; | |
4032 | ||
0bd2e252 | 4033 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
8455425c RG |
4034 | queriesCount++; |
4035 | ||
4036 | if (domain == target && type == QType::NS) { | |
4037 | ||
4038 | setLWResult(res, 0, true, false, true); | |
4039 | char addr[] = "a.root-servers.net."; | |
4040 | for (char idx = 'a'; idx <= 'm'; idx++) { | |
4041 | addr[0] = idx; | |
4042 | addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600); | |
4043 | } | |
4044 | ||
4045 | addRRSIG(keys, res->d_records, domain, 300); | |
4046 | ||
4047 | addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600); | |
4048 | addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600); | |
4049 | ||
4050 | return 1; | |
4051 | } else if (domain == target && type == QType::DNSKEY) { | |
4052 | ||
4053 | setLWResult(res, 0, true, false, true); | |
4054 | ||
4055 | addDNSKEY(keys, domain, 300, res->d_records); | |
4056 | addRRSIG(keys, res->d_records, domain, 300); | |
4057 | ||
4058 | return 1; | |
4059 | } | |
4060 | ||
4061 | return 0; | |
4062 | }); | |
4063 | ||
4064 | vector<DNSRecord> ret; | |
4065 | int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
b7f378d1 RG |
4066 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
4067 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
8455425c RG |
4068 | /* 13 NS + 1 RRSIG */ |
4069 | BOOST_REQUIRE_EQUAL(ret.size(), 14); | |
4070 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
b7f378d1 RG |
4071 | |
4072 | /* again, to test the cache */ | |
4073 | ret.clear(); | |
4074 | res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
4075 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8455425c | 4076 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); |
b7f378d1 RG |
4077 | BOOST_REQUIRE_EQUAL(ret.size(), 14); |
4078 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
8455425c RG |
4079 | } |
4080 | ||
4081 | BOOST_AUTO_TEST_CASE(test_dnssec_root_validation_ksk_zsk) { | |
4082 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 4083 | initSR(sr, true); |
8455425c | 4084 | |
0c43f455 | 4085 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
8455425c RG |
4086 | |
4087 | primeHints(); | |
4088 | const DNSName target("."); | |
b7f378d1 RG |
4089 | testkeysset_t zskeys; |
4090 | testkeysset_t kskeys; | |
8455425c RG |
4091 | |
4092 | /* Generate key material for "." */ | |
4093 | auto dckeZ = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256)); | |
4094 | dckeZ->create(dckeZ->getBits()); | |
4095 | DNSSECPrivateKey ksk; | |
4096 | ksk.d_flags = 257; | |
4097 | ksk.setKey(dckeZ); | |
b7f378d1 RG |
4098 | DSRecordContent kskds = makeDSFromDNSKey(target, ksk.getDNSKEY(), DNSSECKeeper::SHA256); |
4099 | ||
8455425c RG |
4100 | auto dckeK = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256)); |
4101 | dckeK->create(dckeK->getBits()); | |
4102 | DNSSECPrivateKey zsk; | |
4103 | zsk.d_flags = 256; | |
4104 | zsk.setKey(dckeK); | |
b7f378d1 | 4105 | DSRecordContent zskds = makeDSFromDNSKey(target, zsk.getDNSKEY(), DNSSECKeeper::SHA256); |
8455425c | 4106 | |
b7f378d1 RG |
4107 | kskeys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(ksk, kskds); |
4108 | zskeys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(zsk, zskds); | |
8455425c RG |
4109 | |
4110 | /* Set the root DS */ | |
8455425c RG |
4111 | auto luaconfsCopy = g_luaconfs.getCopy(); |
4112 | luaconfsCopy.dsAnchors.clear(); | |
b7f378d1 | 4113 | luaconfsCopy.dsAnchors[g_rootdnsname].insert(kskds); |
8455425c RG |
4114 | g_luaconfs.setState(luaconfsCopy); |
4115 | ||
4116 | size_t queriesCount = 0; | |
4117 | ||
0bd2e252 | 4118 | sr->setAsyncCallback([target,&queriesCount,zskeys,kskeys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
8455425c RG |
4119 | queriesCount++; |
4120 | ||
4121 | if (domain == target && type == QType::NS) { | |
4122 | ||
4123 | setLWResult(res, 0, true, false, true); | |
4124 | char addr[] = "a.root-servers.net."; | |
4125 | for (char idx = 'a'; idx <= 'm'; idx++) { | |
4126 | addr[0] = idx; | |
4127 | addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600); | |
4128 | } | |
4129 | ||
4130 | addRRSIG(zskeys, res->d_records, domain, 300); | |
4131 | ||
4132 | addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600); | |
4133 | addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600); | |
4134 | ||
4135 | return 1; | |
4136 | } else if (domain == target && type == QType::DNSKEY) { | |
4137 | ||
4138 | setLWResult(res, 0, true, false, true); | |
4139 | ||
4140 | addDNSKEY(kskeys, domain, 300, res->d_records); | |
4141 | addDNSKEY(zskeys, domain, 300, res->d_records); | |
4142 | addRRSIG(kskeys, res->d_records, domain, 300); | |
4143 | ||
4144 | return 1; | |
4145 | } | |
4146 | ||
4147 | return 0; | |
4148 | }); | |
4149 | ||
4150 | vector<DNSRecord> ret; | |
4151 | int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
b7f378d1 RG |
4152 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
4153 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
8455425c RG |
4154 | /* 13 NS + 1 RRSIG */ |
4155 | BOOST_REQUIRE_EQUAL(ret.size(), 14); | |
4156 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
b7f378d1 RG |
4157 | |
4158 | /* again, to test the cache */ | |
4159 | ret.clear(); | |
4160 | res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
4161 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8455425c | 4162 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); |
b7f378d1 RG |
4163 | BOOST_REQUIRE_EQUAL(ret.size(), 14); |
4164 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
8455425c RG |
4165 | } |
4166 | ||
4167 | BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_dnskey) { | |
4168 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 4169 | initSR(sr, true); |
8455425c | 4170 | |
0c43f455 | 4171 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
8455425c RG |
4172 | |
4173 | primeHints(); | |
4174 | const DNSName target("."); | |
b7f378d1 | 4175 | testkeysset_t keys; |
8455425c RG |
4176 | |
4177 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
4178 | luaconfsCopy.dsAnchors.clear(); | |
4179 | generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
4180 | g_luaconfs.setState(luaconfsCopy); | |
4181 | ||
4182 | size_t queriesCount = 0; | |
4183 | ||
0bd2e252 | 4184 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
8455425c RG |
4185 | queriesCount++; |
4186 | ||
4187 | if (domain == target && type == QType::NS) { | |
4188 | ||
4189 | setLWResult(res, 0, true, false, true); | |
4190 | char addr[] = "a.root-servers.net."; | |
4191 | for (char idx = 'a'; idx <= 'm'; idx++) { | |
4192 | addr[0] = idx; | |
4193 | addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600); | |
4194 | } | |
4195 | ||
4196 | addRRSIG(keys, res->d_records, domain, 300); | |
4197 | ||
4198 | addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600); | |
4199 | addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600); | |
4200 | ||
4201 | return 1; | |
4202 | } else if (domain == target && type == QType::DNSKEY) { | |
4203 | ||
4204 | setLWResult(res, 0, true, false, true); | |
4205 | ||
4206 | /* No DNSKEY */ | |
4207 | ||
4208 | return 1; | |
4209 | } | |
4210 | ||
4211 | return 0; | |
4212 | }); | |
4213 | ||
4214 | vector<DNSRecord> ret; | |
4215 | int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
b7f378d1 RG |
4216 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
4217 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
8455425c RG |
4218 | /* 13 NS + 1 RRSIG */ |
4219 | BOOST_REQUIRE_EQUAL(ret.size(), 14); | |
4220 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
b7f378d1 RG |
4221 | |
4222 | /* again, to test the cache */ | |
4223 | ret.clear(); | |
4224 | res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
4225 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8455425c | 4226 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); |
b7f378d1 RG |
4227 | BOOST_REQUIRE_EQUAL(ret.size(), 14); |
4228 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
8455425c RG |
4229 | } |
4230 | ||
4231 | BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_doesnt_match_ds) { | |
4232 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 4233 | initSR(sr, true); |
8455425c | 4234 | |
0c43f455 | 4235 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
8455425c RG |
4236 | |
4237 | primeHints(); | |
4238 | const DNSName target("."); | |
b7f378d1 RG |
4239 | testkeysset_t dskeys; |
4240 | testkeysset_t keys; | |
8455425c RG |
4241 | |
4242 | /* Generate key material for "." */ | |
4243 | auto dckeDS = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256)); | |
4244 | dckeDS->create(dckeDS->getBits()); | |
4245 | DNSSECPrivateKey dskey; | |
4246 | dskey.d_flags = 257; | |
4247 | dskey.setKey(dckeDS); | |
b7f378d1 RG |
4248 | DSRecordContent drc = makeDSFromDNSKey(target, dskey.getDNSKEY(), DNSSECKeeper::SHA256); |
4249 | ||
8455425c RG |
4250 | auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256)); |
4251 | dcke->create(dcke->getBits()); | |
4252 | DNSSECPrivateKey dpk; | |
4253 | dpk.d_flags = 256; | |
4254 | dpk.setKey(dcke); | |
b7f378d1 | 4255 | DSRecordContent uselessdrc = makeDSFromDNSKey(target, dpk.getDNSKEY(), DNSSECKeeper::SHA256); |
8455425c | 4256 | |
b7f378d1 RG |
4257 | dskeys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(dskey, drc); |
4258 | keys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(dpk, uselessdrc); | |
8455425c RG |
4259 | |
4260 | /* Set the root DS */ | |
8455425c RG |
4261 | auto luaconfsCopy = g_luaconfs.getCopy(); |
4262 | luaconfsCopy.dsAnchors.clear(); | |
4263 | luaconfsCopy.dsAnchors[g_rootdnsname].insert(drc); | |
4264 | g_luaconfs.setState(luaconfsCopy); | |
4265 | ||
4266 | size_t queriesCount = 0; | |
4267 | ||
0bd2e252 | 4268 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
8455425c RG |
4269 | queriesCount++; |
4270 | ||
4271 | if (domain == target && type == QType::NS) { | |
4272 | ||
4273 | setLWResult(res, 0, true, false, true); | |
4274 | char addr[] = "a.root-servers.net."; | |
4275 | for (char idx = 'a'; idx <= 'm'; idx++) { | |
4276 | addr[0] = idx; | |
4277 | addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600); | |
4278 | } | |
4279 | ||
4280 | addRRSIG(keys, res->d_records, domain, 300); | |
4281 | ||
4282 | addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600); | |
4283 | addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600); | |
4284 | ||
4285 | return 1; | |
4286 | } else if (domain == target && type == QType::DNSKEY) { | |
4287 | ||
4288 | setLWResult(res, 0, true, false, true); | |
4289 | ||
4290 | addDNSKEY(keys, domain, 300, res->d_records); | |
4291 | addRRSIG(keys, res->d_records, domain, 300); | |
4292 | ||
4293 | return 1; | |
4294 | } | |
4295 | ||
4296 | return 0; | |
4297 | }); | |
4298 | ||
4299 | vector<DNSRecord> ret; | |
4300 | int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
b7f378d1 RG |
4301 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
4302 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
8455425c RG |
4303 | /* 13 NS + 1 RRSIG */ |
4304 | BOOST_REQUIRE_EQUAL(ret.size(), 14); | |
4305 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
b7f378d1 RG |
4306 | |
4307 | /* again, to test the cache */ | |
4308 | ret.clear(); | |
4309 | res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
4310 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8455425c | 4311 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); |
b7f378d1 RG |
4312 | BOOST_REQUIRE_EQUAL(ret.size(), 14); |
4313 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
8455425c RG |
4314 | } |
4315 | ||
4316 | BOOST_AUTO_TEST_CASE(test_dnssec_bogus_rrsig_signed_with_unknown_dnskey) { | |
4317 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 4318 | initSR(sr, true); |
8455425c | 4319 | |
0c43f455 | 4320 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
8455425c RG |
4321 | |
4322 | primeHints(); | |
4323 | const DNSName target("."); | |
b7f378d1 RG |
4324 | testkeysset_t keys; |
4325 | testkeysset_t rrsigkeys; | |
8455425c RG |
4326 | |
4327 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
4328 | luaconfsCopy.dsAnchors.clear(); | |
4329 | generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
4330 | g_luaconfs.setState(luaconfsCopy); | |
4331 | ||
4332 | auto dckeRRSIG = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256)); | |
4333 | dckeRRSIG->create(dckeRRSIG->getBits()); | |
4334 | DNSSECPrivateKey rrsigkey; | |
4335 | rrsigkey.d_flags = 257; | |
4336 | rrsigkey.setKey(dckeRRSIG); | |
b7f378d1 RG |
4337 | DSRecordContent rrsigds = makeDSFromDNSKey(target, rrsigkey.getDNSKEY(), DNSSECKeeper::SHA256); |
4338 | ||
4339 | rrsigkeys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(rrsigkey, rrsigds); | |
8455425c RG |
4340 | |
4341 | size_t queriesCount = 0; | |
4342 | ||
0bd2e252 | 4343 | sr->setAsyncCallback([target,&queriesCount,keys,rrsigkeys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
8455425c RG |
4344 | queriesCount++; |
4345 | ||
4346 | if (domain == target && type == QType::NS) { | |
4347 | ||
4348 | setLWResult(res, 0, true, false, true); | |
4349 | char addr[] = "a.root-servers.net."; | |
4350 | for (char idx = 'a'; idx <= 'm'; idx++) { | |
4351 | addr[0] = idx; | |
4352 | addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600); | |
4353 | } | |
4354 | ||
4355 | addRRSIG(rrsigkeys, res->d_records, domain, 300); | |
4356 | ||
4357 | addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600); | |
4358 | addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600); | |
4359 | ||
4360 | return 1; | |
4361 | } else if (domain == target && type == QType::DNSKEY) { | |
4362 | ||
4363 | setLWResult(res, 0, true, false, true); | |
4364 | ||
4365 | addDNSKEY(keys, domain, 300, res->d_records); | |
4366 | addRRSIG(rrsigkeys, res->d_records, domain, 300); | |
4367 | ||
4368 | return 1; | |
4369 | } | |
4370 | ||
4371 | return 0; | |
4372 | }); | |
4373 | ||
4374 | vector<DNSRecord> ret; | |
4375 | int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
b7f378d1 RG |
4376 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
4377 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
8455425c RG |
4378 | /* 13 NS + 1 RRSIG */ |
4379 | BOOST_REQUIRE_EQUAL(ret.size(), 14); | |
4380 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
b7f378d1 RG |
4381 | |
4382 | /* again, to test the cache */ | |
4383 | ret.clear(); | |
4384 | res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
4385 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8455425c | 4386 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); |
b7f378d1 RG |
4387 | BOOST_REQUIRE_EQUAL(ret.size(), 14); |
4388 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
8455425c RG |
4389 | } |
4390 | ||
4391 | BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_rrsig) { | |
4392 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 4393 | initSR(sr, true); |
8455425c | 4394 | |
0c43f455 | 4395 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
8455425c RG |
4396 | |
4397 | primeHints(); | |
4398 | const DNSName target("."); | |
b7f378d1 | 4399 | testkeysset_t keys; |
8455425c RG |
4400 | |
4401 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
4402 | luaconfsCopy.dsAnchors.clear(); | |
4403 | generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
4404 | g_luaconfs.setState(luaconfsCopy); | |
4405 | ||
4406 | size_t queriesCount = 0; | |
4407 | ||
0bd2e252 | 4408 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
8455425c RG |
4409 | queriesCount++; |
4410 | ||
4411 | if (domain == target && type == QType::NS) { | |
4412 | ||
4413 | setLWResult(res, 0, true, false, true); | |
4414 | char addr[] = "a.root-servers.net."; | |
4415 | for (char idx = 'a'; idx <= 'm'; idx++) { | |
4416 | addr[0] = idx; | |
4417 | addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600); | |
4418 | } | |
4419 | ||
4420 | /* No RRSIG */ | |
4421 | ||
4422 | addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600); | |
4423 | addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600); | |
4424 | ||
4425 | return 1; | |
4426 | } else if (domain == target && type == QType::DNSKEY) { | |
4427 | ||
4428 | setLWResult(res, 0, true, false, true); | |
4429 | ||
4430 | addDNSKEY(keys, domain, 300, res->d_records); | |
4431 | addRRSIG(keys, res->d_records, domain, 300); | |
4432 | ||
4433 | return 1; | |
4434 | } | |
4435 | ||
4436 | return 0; | |
4437 | }); | |
4438 | ||
4439 | vector<DNSRecord> ret; | |
4440 | int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
b7f378d1 RG |
4441 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
4442 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
8455425c RG |
4443 | /* 13 NS + 0 RRSIG */ |
4444 | BOOST_REQUIRE_EQUAL(ret.size(), 13); | |
4445 | /* no RRSIG so no query for DNSKEYs */ | |
4446 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
b7f378d1 RG |
4447 | |
4448 | /* again, to test the cache */ | |
4449 | ret.clear(); | |
4450 | res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
4451 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8455425c | 4452 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); |
b7f378d1 RG |
4453 | BOOST_REQUIRE_EQUAL(ret.size(), 13); |
4454 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
8455425c RG |
4455 | } |
4456 | ||
4457 | BOOST_AUTO_TEST_CASE(test_dnssec_insecure_unknown_ds_algorithm) { | |
4458 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 4459 | initSR(sr, true); |
8455425c | 4460 | |
0c43f455 | 4461 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
8455425c RG |
4462 | |
4463 | primeHints(); | |
4464 | const DNSName target("."); | |
b7f378d1 | 4465 | testkeysset_t keys; |
8455425c RG |
4466 | |
4467 | /* Generate key material for "." */ | |
4468 | auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256)); | |
4469 | dcke->create(dcke->getBits()); | |
4470 | DNSSECPrivateKey dpk; | |
4471 | dpk.d_flags = 256; | |
4472 | dpk.setKey(dcke); | |
4473 | /* Fake algorithm number (private) */ | |
4474 | dpk.d_algorithm = 253; | |
4475 | ||
8455425c | 4476 | DSRecordContent drc = makeDSFromDNSKey(target, dpk.getDNSKEY(), DNSSECKeeper::SHA256); |
b7f378d1 | 4477 | keys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(dpk, drc); |
8455425c RG |
4478 | /* Fake algorithm number (private) */ |
4479 | drc.d_algorithm = 253; | |
4480 | ||
b7f378d1 | 4481 | /* Set the root DS */ |
8455425c RG |
4482 | auto luaconfsCopy = g_luaconfs.getCopy(); |
4483 | luaconfsCopy.dsAnchors.clear(); | |
4484 | luaconfsCopy.dsAnchors[g_rootdnsname].insert(drc); | |
4485 | g_luaconfs.setState(luaconfsCopy); | |
4486 | ||
4487 | size_t queriesCount = 0; | |
4488 | ||
0bd2e252 | 4489 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
8455425c RG |
4490 | queriesCount++; |
4491 | ||
4492 | if (domain == target && type == QType::NS) { | |
4493 | ||
4494 | setLWResult(res, 0, true, false, true); | |
4495 | char addr[] = "a.root-servers.net."; | |
4496 | for (char idx = 'a'; idx <= 'm'; idx++) { | |
4497 | addr[0] = idx; | |
4498 | addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600); | |
4499 | } | |
4500 | ||
4501 | addRRSIG(keys, res->d_records, domain, 300); | |
4502 | ||
4503 | addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600); | |
4504 | addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600); | |
4505 | ||
4506 | return 1; | |
4507 | } else if (domain == target && type == QType::DNSKEY) { | |
4508 | ||
4509 | setLWResult(res, 0, true, false, true); | |
4510 | ||
4511 | addDNSKEY(keys, domain, 300, res->d_records); | |
4512 | addRRSIG(keys, res->d_records, domain, 300); | |
4513 | ||
4514 | return 1; | |
4515 | } | |
4516 | ||
4517 | return 0; | |
4518 | }); | |
4519 | ||
4520 | vector<DNSRecord> ret; | |
4521 | int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
b7f378d1 RG |
4522 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
4523 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
8455425c RG |
4524 | /* 13 NS + 1 RRSIG */ |
4525 | BOOST_REQUIRE_EQUAL(ret.size(), 14); | |
4526 | /* no supported DS so no query for DNSKEYs */ | |
4527 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
b7f378d1 RG |
4528 | |
4529 | /* again, to test the cache */ | |
4530 | ret.clear(); | |
4531 | res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
4532 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8455425c | 4533 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); |
b7f378d1 RG |
4534 | BOOST_REQUIRE_EQUAL(ret.size(), 14); |
4535 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
8455425c RG |
4536 | } |
4537 | ||
4538 | BOOST_AUTO_TEST_CASE(test_dnssec_insecure_unknown_ds_digest) { | |
4539 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 4540 | initSR(sr, true); |
8455425c | 4541 | |
0c43f455 | 4542 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
8455425c RG |
4543 | |
4544 | primeHints(); | |
4545 | const DNSName target("."); | |
b7f378d1 | 4546 | testkeysset_t keys; |
8455425c RG |
4547 | |
4548 | /* Generate key material for "." */ | |
4549 | auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256)); | |
4550 | dcke->create(dcke->getBits()); | |
4551 | DNSSECPrivateKey dpk; | |
4552 | dpk.d_flags = 256; | |
4553 | dpk.setKey(dcke); | |
8455425c RG |
4554 | DSRecordContent drc = makeDSFromDNSKey(target, dpk.getDNSKEY(), DNSSECKeeper::SHA256); |
4555 | /* Fake digest number (reserved) */ | |
4556 | drc.d_digesttype = 0; | |
4557 | ||
b7f378d1 RG |
4558 | keys[target] = std::pair<DNSSECPrivateKey, DSRecordContent>(dpk, drc); |
4559 | ||
4560 | /* Set the root DS */ | |
8455425c RG |
4561 | auto luaconfsCopy = g_luaconfs.getCopy(); |
4562 | luaconfsCopy.dsAnchors.clear(); | |
4563 | luaconfsCopy.dsAnchors[g_rootdnsname].insert(drc); | |
4564 | g_luaconfs.setState(luaconfsCopy); | |
4565 | ||
4566 | size_t queriesCount = 0; | |
4567 | ||
0bd2e252 | 4568 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
8455425c RG |
4569 | queriesCount++; |
4570 | ||
4571 | if (domain == target && type == QType::NS) { | |
4572 | ||
4573 | setLWResult(res, 0, true, false, true); | |
4574 | char addr[] = "a.root-servers.net."; | |
4575 | for (char idx = 'a'; idx <= 'm'; idx++) { | |
4576 | addr[0] = idx; | |
4577 | addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600); | |
4578 | } | |
4579 | ||
4580 | addRRSIG(keys, res->d_records, domain, 300); | |
4581 | ||
4582 | addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600); | |
4583 | addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600); | |
4584 | ||
4585 | return 1; | |
4586 | } else if (domain == target && type == QType::DNSKEY) { | |
4587 | ||
4588 | setLWResult(res, 0, true, false, true); | |
4589 | ||
4590 | addDNSKEY(keys, domain, 300, res->d_records); | |
4591 | addRRSIG(keys, res->d_records, domain, 300); | |
4592 | ||
4593 | return 1; | |
4594 | } | |
4595 | ||
4596 | return 0; | |
4597 | }); | |
4598 | ||
4599 | vector<DNSRecord> ret; | |
4600 | int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
b7f378d1 RG |
4601 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
4602 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
8455425c RG |
4603 | /* 13 NS + 1 RRSIG */ |
4604 | BOOST_REQUIRE_EQUAL(ret.size(), 14); | |
4605 | /* no supported DS so no query for DNSKEYs */ | |
4606 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
b7f378d1 RG |
4607 | |
4608 | /* again, to test the cache */ | |
4609 | ret.clear(); | |
4610 | res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
4611 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8455425c | 4612 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); |
b7f378d1 RG |
4613 | BOOST_REQUIRE_EQUAL(ret.size(), 14); |
4614 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
8455425c RG |
4615 | } |
4616 | ||
3d5ebf10 RG |
4617 | BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_sig) { |
4618 | std::unique_ptr<SyncRes> sr; | |
4619 | initSR(sr, true); | |
4620 | ||
0c43f455 | 4621 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
3d5ebf10 RG |
4622 | |
4623 | primeHints(); | |
4624 | const DNSName target("."); | |
4625 | testkeysset_t keys; | |
4626 | ||
4627 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
4628 | luaconfsCopy.dsAnchors.clear(); | |
4629 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors); | |
4630 | ||
4631 | g_luaconfs.setState(luaconfsCopy); | |
4632 | ||
4633 | size_t queriesCount = 0; | |
4634 | ||
0bd2e252 | 4635 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3d5ebf10 RG |
4636 | queriesCount++; |
4637 | ||
4638 | if (domain == target && type == QType::NS) { | |
4639 | ||
4640 | setLWResult(res, 0, true, false, true); | |
4641 | char addr[] = "a.root-servers.net."; | |
4642 | for (char idx = 'a'; idx <= 'm'; idx++) { | |
4643 | addr[0] = idx; | |
4644 | addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600); | |
4645 | } | |
4646 | ||
4647 | addRRSIG(keys, res->d_records, domain, 300, true); | |
4648 | ||
4649 | addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600); | |
4650 | addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600); | |
4651 | ||
4652 | return 1; | |
4653 | } else if (domain == target && type == QType::DNSKEY) { | |
4654 | ||
4655 | setLWResult(res, 0, true, false, true); | |
4656 | ||
4657 | addDNSKEY(keys, domain, 300, res->d_records); | |
4658 | addRRSIG(keys, res->d_records, domain, 300); | |
4659 | ||
4660 | return 1; | |
4661 | } | |
4662 | ||
4663 | return 0; | |
4664 | }); | |
4665 | ||
4666 | vector<DNSRecord> ret; | |
4667 | int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
4668 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
4669 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
4670 | /* 13 NS + 1 RRSIG */ | |
4671 | BOOST_REQUIRE_EQUAL(ret.size(), 14); | |
4672 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
4673 | ||
4674 | /* again, to test the cache */ | |
4675 | ret.clear(); | |
4676 | res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
4677 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
4678 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
4679 | BOOST_REQUIRE_EQUAL(ret.size(), 14); | |
4680 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
4681 | } | |
4682 | ||
4683 | BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_algo) { | |
4684 | std::unique_ptr<SyncRes> sr; | |
4685 | initSR(sr, true); | |
4686 | ||
0c43f455 | 4687 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
3d5ebf10 RG |
4688 | |
4689 | primeHints(); | |
4690 | const DNSName target("."); | |
4691 | testkeysset_t keys; | |
4692 | ||
4693 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
4694 | luaconfsCopy.dsAnchors.clear(); | |
4695 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors); | |
4696 | ||
4697 | g_luaconfs.setState(luaconfsCopy); | |
4698 | ||
4699 | size_t queriesCount = 0; | |
4700 | ||
0bd2e252 | 4701 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3d5ebf10 RG |
4702 | queriesCount++; |
4703 | ||
4704 | if (domain == target && type == QType::NS) { | |
4705 | ||
4706 | setLWResult(res, 0, true, false, true); | |
4707 | char addr[] = "a.root-servers.net."; | |
4708 | for (char idx = 'a'; idx <= 'm'; idx++) { | |
4709 | addr[0] = idx; | |
4710 | addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600); | |
4711 | } | |
4712 | ||
4713 | /* FORCE WRONG ALGO */ | |
4714 | addRRSIG(keys, res->d_records, domain, 300, false, DNSSECKeeper::RSASHA256); | |
4715 | ||
4716 | addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600); | |
4717 | addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600); | |
4718 | ||
4719 | return 1; | |
4720 | } else if (domain == target && type == QType::DNSKEY) { | |
4721 | ||
4722 | setLWResult(res, 0, true, false, true); | |
4723 | ||
4724 | addDNSKEY(keys, domain, 300, res->d_records); | |
4725 | addRRSIG(keys, res->d_records, domain, 300); | |
4726 | ||
4727 | return 1; | |
4728 | } | |
4729 | ||
4730 | return 0; | |
4731 | }); | |
4732 | ||
4733 | vector<DNSRecord> ret; | |
4734 | int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
4735 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
4736 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
4737 | /* 13 NS + 1 RRSIG */ | |
4738 | BOOST_REQUIRE_EQUAL(ret.size(), 14); | |
4739 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
4740 | ||
4741 | /* again, to test the cache */ | |
4742 | ret.clear(); | |
4743 | res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
4744 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
4745 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
4746 | BOOST_REQUIRE_EQUAL(ret.size(), 14); | |
4747 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
4748 | } | |
4749 | ||
f100caac RG |
4750 | BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds) { |
4751 | std::unique_ptr<SyncRes> sr; | |
4752 | initSR(sr, true); | |
4753 | ||
4754 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
4755 | ||
4756 | primeHints(); | |
4757 | const DNSName target("com."); | |
4758 | const ComboAddress targetAddr("192.0.2.42"); | |
4759 | testkeysset_t keys; | |
4760 | ||
4761 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
4762 | luaconfsCopy.dsAnchors.clear(); | |
4763 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors); | |
4764 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
4765 | ||
4766 | g_luaconfs.setState(luaconfsCopy); | |
4767 | ||
4768 | size_t queriesCount = 0; | |
4769 | ||
0bd2e252 | 4770 | sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f100caac RG |
4771 | queriesCount++; |
4772 | ||
4773 | DNSName auth = domain; | |
4774 | ||
4775 | if (type == QType::DS || type == QType::DNSKEY) { | |
4776 | if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys) == 0) { | |
4777 | return 0; | |
4778 | } | |
4779 | ||
4780 | if (type == QType::DS && domain == target) { | |
4781 | /* remove the last record, which is the DS's RRSIG */ | |
4782 | res->d_records.pop_back(); | |
4783 | } | |
4784 | ||
4785 | return 1; | |
4786 | } | |
4787 | ||
4788 | if (isRootServer(ip)) { | |
4789 | setLWResult(res, 0, false, false, true); | |
4790 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
4791 | /* Include the DS but omit the RRSIG*/ | |
4792 | addDS(DNSName("com."), 300, res->d_records, keys); | |
4793 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
4794 | return 1; | |
4795 | } | |
4796 | ||
4797 | if (ip == ComboAddress("192.0.2.1:53")) { | |
4798 | setLWResult(res, RCode::NoError, true, false, true); | |
4799 | addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); | |
4800 | addRRSIG(keys, res->d_records, auth, 300); | |
4801 | return 1; | |
4802 | } | |
4803 | ||
4804 | return 0; | |
4805 | }); | |
4806 | ||
4807 | vector<DNSRecord> ret; | |
4808 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
4809 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
4810 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
4811 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
4812 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
4813 | ||
4814 | /* again, to test the cache */ | |
4815 | ret.clear(); | |
4816 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
4817 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
4818 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
4819 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
4820 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
4821 | ||
4822 | /* now we ask directly for the DS */ | |
4823 | ret.clear(); | |
4824 | res = sr->beginResolve(DNSName("com."), QType(QType::DS), QClass::IN, ret); | |
4825 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
4826 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
4827 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
4828 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
4829 | } | |
4830 | ||
4831 | BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds_direct) { | |
4832 | std::unique_ptr<SyncRes> sr; | |
4833 | initSR(sr, true); | |
4834 | ||
4835 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
4836 | ||
4837 | primeHints(); | |
4838 | const DNSName target("com."); | |
4839 | testkeysset_t keys; | |
4840 | ||
4841 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
4842 | luaconfsCopy.dsAnchors.clear(); | |
4843 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors); | |
4844 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
4845 | ||
4846 | g_luaconfs.setState(luaconfsCopy); | |
4847 | ||
4848 | size_t queriesCount = 0; | |
4849 | ||
0bd2e252 | 4850 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f100caac RG |
4851 | queriesCount++; |
4852 | ||
4853 | DNSName auth = domain; | |
4854 | ||
4855 | if (type == QType::DS || type == QType::DNSKEY) { | |
4856 | if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys) == 0) { | |
4857 | return 0; | |
4858 | } | |
4859 | ||
4860 | if (type == QType::DS && domain == target) { | |
4861 | /* remove the last record, which is the DS's RRSIG */ | |
4862 | res->d_records.pop_back(); | |
4863 | } | |
4864 | ||
4865 | return 1; | |
4866 | } | |
4867 | ||
4868 | if (isRootServer(ip)) { | |
4869 | setLWResult(res, 0, false, false, true); | |
4870 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
4871 | /* Include the DS but omit the RRSIG*/ | |
4872 | addDS(DNSName("com."), 300, res->d_records, keys); | |
4873 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
4874 | return 1; | |
4875 | } | |
4876 | ||
4877 | return 0; | |
4878 | }); | |
4879 | ||
4880 | vector<DNSRecord> ret; | |
4881 | int res = sr->beginResolve(DNSName("com."), QType(QType::DS), QClass::IN, ret); | |
4882 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
4883 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
4884 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
4885 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
4886 | } | |
4887 | ||
b7f378d1 | 4888 | BOOST_AUTO_TEST_CASE(test_dnssec_secure_various_algos) { |
8455425c | 4889 | std::unique_ptr<SyncRes> sr; |
895449a5 | 4890 | initSR(sr, true); |
8455425c | 4891 | |
0c43f455 | 4892 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
8455425c RG |
4893 | |
4894 | primeHints(); | |
4895 | const DNSName target("powerdns.com."); | |
b7f378d1 RG |
4896 | const ComboAddress targetAddr("192.0.2.42"); |
4897 | testkeysset_t keys; | |
8455425c RG |
4898 | |
4899 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
4900 | luaconfsCopy.dsAnchors.clear(); | |
b7f378d1 RG |
4901 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors); |
4902 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
4903 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA384, DNSSECKeeper::SHA384, keys); | |
8455425c RG |
4904 | |
4905 | g_luaconfs.setState(luaconfsCopy); | |
4906 | ||
4907 | size_t queriesCount = 0; | |
4908 | ||
0bd2e252 | 4909 | sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
8455425c RG |
4910 | queriesCount++; |
4911 | ||
b7f378d1 RG |
4912 | DNSName auth = domain; |
4913 | if (domain == target) { | |
4914 | auth = DNSName("powerdns.com."); | |
4915 | } | |
5374b03b RG |
4916 | |
4917 | if (type == QType::DS || type == QType::DNSKEY) { | |
4918 | return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); | |
8455425c | 4919 | } |
5374b03b RG |
4920 | |
4921 | if (isRootServer(ip)) { | |
4922 | setLWResult(res, 0, false, false, true); | |
4923 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
4924 | addDS(DNSName("com."), 300, res->d_records, keys); | |
4925 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
4926 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
8455425c RG |
4927 | return 1; |
4928 | } | |
5374b03b RG |
4929 | |
4930 | if (ip == ComboAddress("192.0.2.1:53")) { | |
4931 | if (domain == DNSName("com.")) { | |
4932 | setLWResult(res, 0, true, false, true); | |
4933 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
4934 | addRRSIG(keys, res->d_records, domain, 300); | |
8455425c | 4935 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); |
5374b03b | 4936 | addRRSIG(keys, res->d_records, domain, 300); |
8455425c | 4937 | } |
5374b03b RG |
4938 | else { |
4939 | setLWResult(res, 0, false, false, true); | |
4940 | addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
4941 | addDS(auth, 300, res->d_records, keys); | |
4942 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
4943 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
8455425c | 4944 | } |
5374b03b RG |
4945 | return 1; |
4946 | } | |
4947 | ||
4948 | if (ip == ComboAddress("192.0.2.2:53")) { | |
4949 | if (type == QType::NS) { | |
4950 | setLWResult(res, 0, true, false, true); | |
4951 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
4952 | addRRSIG(keys, res->d_records, auth, 300); | |
4953 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
4954 | addRRSIG(keys, res->d_records, auth, 300); | |
8455425c | 4955 | } |
5374b03b RG |
4956 | else { |
4957 | setLWResult(res, RCode::NoError, true, false, true); | |
4958 | addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); | |
4959 | addRRSIG(keys, res->d_records, auth, 300); | |
4960 | } | |
4961 | return 1; | |
8455425c RG |
4962 | } |
4963 | ||
4964 | return 0; | |
4965 | }); | |
4966 | ||
4967 | vector<DNSRecord> ret; | |
4968 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
b7f378d1 RG |
4969 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
4970 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
4971 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
f24465e5 | 4972 | BOOST_CHECK_EQUAL(queriesCount, 8); |
b7f378d1 RG |
4973 | |
4974 | /* again, to test the cache */ | |
4975 | ret.clear(); | |
4976 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
4977 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8455425c | 4978 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); |
b7f378d1 | 4979 | BOOST_REQUIRE_EQUAL(ret.size(), 2); |
f24465e5 | 4980 | BOOST_CHECK_EQUAL(queriesCount, 8); |
8455425c RG |
4981 | } |
4982 | ||
428f41b7 RG |
4983 | BOOST_AUTO_TEST_CASE(test_dnssec_secure_a_then_ns) { |
4984 | std::unique_ptr<SyncRes> sr; | |
4985 | initSR(sr, true); | |
4986 | ||
0c43f455 | 4987 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
428f41b7 RG |
4988 | |
4989 | primeHints(); | |
4990 | const DNSName target("powerdns.com."); | |
4991 | const ComboAddress targetAddr("192.0.2.42"); | |
4992 | testkeysset_t keys; | |
4993 | ||
4994 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
4995 | luaconfsCopy.dsAnchors.clear(); | |
4996 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
4997 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
4998 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
4999 | g_luaconfs.setState(luaconfsCopy); | |
5000 | ||
5001 | size_t queriesCount = 0; | |
5002 | ||
0bd2e252 | 5003 | sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
428f41b7 RG |
5004 | queriesCount++; |
5005 | ||
5006 | DNSName auth = domain; | |
5007 | if (domain == target) { | |
5008 | auth = DNSName("powerdns.com."); | |
5009 | } | |
5374b03b RG |
5010 | |
5011 | if (type == QType::DS || type == QType::DNSKEY) { | |
5012 | return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); | |
428f41b7 | 5013 | } |
5374b03b RG |
5014 | |
5015 | if (isRootServer(ip)) { | |
5016 | setLWResult(res, 0, false, false, true); | |
5017 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5018 | addDS(DNSName("com."), 300, res->d_records, keys); | |
5019 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
5020 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
428f41b7 RG |
5021 | return 1; |
5022 | } | |
5374b03b RG |
5023 | |
5024 | if (ip == ComboAddress("192.0.2.1:53")) { | |
5025 | if (domain == DNSName("com.")) { | |
5026 | setLWResult(res, 0, true, false, true); | |
5027 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
5028 | addRRSIG(keys, res->d_records, domain, 300); | |
428f41b7 | 5029 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); |
5374b03b | 5030 | addRRSIG(keys, res->d_records, domain, 300); |
428f41b7 | 5031 | } |
5374b03b RG |
5032 | else { |
5033 | setLWResult(res, 0, false, false, true); | |
5034 | addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5035 | addDS(auth, 300, res->d_records, keys); | |
5036 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
5037 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
428f41b7 | 5038 | } |
5374b03b RG |
5039 | return 1; |
5040 | } | |
5041 | ||
5042 | if (ip == ComboAddress("192.0.2.2:53")) { | |
5043 | if (type == QType::NS) { | |
5044 | setLWResult(res, 0, true, false, true); | |
5045 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
5046 | addRRSIG(keys, res->d_records, auth, 300); | |
5047 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
5048 | addRRSIG(keys, res->d_records, auth, 300); | |
5049 | } | |
5050 | else { | |
5051 | setLWResult(res, RCode::NoError, true, false, true); | |
5052 | addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); | |
5053 | addRRSIG(keys, res->d_records, auth, 300); | |
428f41b7 | 5054 | } |
5374b03b | 5055 | return 1; |
428f41b7 RG |
5056 | } |
5057 | ||
5058 | return 0; | |
5059 | }); | |
5060 | ||
5061 | vector<DNSRecord> ret; | |
5062 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5063 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5064 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
5065 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
5066 | BOOST_CHECK_EQUAL(queriesCount, 8); | |
5067 | ||
5068 | /* again, to test the cache */ | |
5069 | ret.clear(); | |
5070 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5071 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5072 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
5073 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
5074 | BOOST_CHECK_EQUAL(queriesCount, 8); | |
5075 | ||
5076 | /* this time we ask for the NS that should be in the cache, to check | |
5077 | the validation status */ | |
5078 | ret.clear(); | |
5079 | res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
5080 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5081 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
5082 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
5374b03b | 5083 | BOOST_CHECK_EQUAL(queriesCount, 9); |
428f41b7 RG |
5084 | |
5085 | } | |
5086 | ||
5087 | BOOST_AUTO_TEST_CASE(test_dnssec_insecure_a_then_ns) { | |
5088 | std::unique_ptr<SyncRes> sr; | |
5089 | initSR(sr, true); | |
5090 | ||
0c43f455 | 5091 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
428f41b7 RG |
5092 | |
5093 | primeHints(); | |
5094 | const DNSName target("powerdns.com."); | |
5095 | const ComboAddress targetAddr("192.0.2.42"); | |
5096 | testkeysset_t keys; | |
5097 | ||
5098 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
5099 | luaconfsCopy.dsAnchors.clear(); | |
5100 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
5101 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5102 | g_luaconfs.setState(luaconfsCopy); | |
5103 | ||
5104 | size_t queriesCount = 0; | |
5105 | ||
0bd2e252 | 5106 | sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
428f41b7 RG |
5107 | queriesCount++; |
5108 | ||
5109 | DNSName auth = domain; | |
5110 | if (domain == target) { | |
5111 | auth = DNSName("powerdns.com."); | |
5112 | } | |
5374b03b RG |
5113 | |
5114 | if (type == QType::DS || type == QType::DNSKEY) { | |
5115 | return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); | |
428f41b7 | 5116 | } |
5374b03b RG |
5117 | |
5118 | if (isRootServer(ip)) { | |
5119 | setLWResult(res, 0, false, false, true); | |
5120 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5121 | addDS(DNSName("com."), 300, res->d_records, keys); | |
5122 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
5123 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
428f41b7 RG |
5124 | return 1; |
5125 | } | |
5374b03b RG |
5126 | |
5127 | if (ip == ComboAddress("192.0.2.1:53")) { | |
5128 | if (domain == DNSName("com.")) { | |
5129 | setLWResult(res, 0, true, false, true); | |
5130 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
5131 | addRRSIG(keys, res->d_records, domain, 300); | |
428f41b7 | 5132 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); |
5374b03b | 5133 | addRRSIG(keys, res->d_records, domain, 300); |
428f41b7 | 5134 | } |
5374b03b RG |
5135 | else { |
5136 | setLWResult(res, 0, false, false, true); | |
5137 | addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5138 | /* no DS */ | |
5139 | addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records); | |
5140 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
5141 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
428f41b7 | 5142 | } |
5374b03b RG |
5143 | return 1; |
5144 | } | |
5145 | ||
5146 | if (ip == ComboAddress("192.0.2.2:53")) { | |
5147 | if (type == QType::NS) { | |
5148 | setLWResult(res, 0, true, false, true); | |
5149 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
5150 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
428f41b7 | 5151 | } |
5374b03b RG |
5152 | else { |
5153 | setLWResult(res, RCode::NoError, true, false, true); | |
5154 | addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); | |
5155 | } | |
5156 | return 1; | |
428f41b7 RG |
5157 | } |
5158 | ||
5159 | return 0; | |
5160 | }); | |
5161 | ||
5162 | vector<DNSRecord> ret; | |
5163 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5164 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5165 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
5166 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
5167 | BOOST_CHECK_EQUAL(queriesCount, 7); | |
5168 | ||
5169 | /* again, to test the cache */ | |
5170 | ret.clear(); | |
5171 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5172 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5173 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
5174 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
5175 | BOOST_CHECK_EQUAL(queriesCount, 7); | |
5176 | ||
5177 | /* this time we ask for the NS that should be in the cache, to check | |
5178 | the validation status */ | |
5179 | ret.clear(); | |
5180 | res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
5181 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5182 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
5183 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
5374b03b | 5184 | BOOST_CHECK_EQUAL(queriesCount, 8); |
428f41b7 RG |
5185 | } |
5186 | ||
b7f378d1 | 5187 | BOOST_AUTO_TEST_CASE(test_dnssec_secure_with_nta) { |
8455425c | 5188 | std::unique_ptr<SyncRes> sr; |
895449a5 | 5189 | initSR(sr, true); |
8455425c | 5190 | |
0c43f455 | 5191 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
8455425c RG |
5192 | |
5193 | primeHints(); | |
b7f378d1 RG |
5194 | const DNSName target("powerdns.com."); |
5195 | const ComboAddress targetAddr("192.0.2.42"); | |
5196 | testkeysset_t keys; | |
8455425c RG |
5197 | |
5198 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
5199 | luaconfsCopy.dsAnchors.clear(); | |
b7f378d1 RG |
5200 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); |
5201 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5202 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5203 | ||
5204 | /* Add a NTA for "powerdns.com" */ | |
5205 | luaconfsCopy.negAnchors[target] = "NTA for PowerDNS.com"; | |
8455425c | 5206 | |
8455425c RG |
5207 | g_luaconfs.setState(luaconfsCopy); |
5208 | ||
5209 | size_t queriesCount = 0; | |
5210 | ||
0bd2e252 | 5211 | sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
8455425c RG |
5212 | queriesCount++; |
5213 | ||
b7f378d1 RG |
5214 | DNSName auth = domain; |
5215 | if (domain == target) { | |
5216 | auth = DNSName("powerdns.com."); | |
5217 | } | |
5374b03b RG |
5218 | |
5219 | if (type == QType::DS || type == QType::DNSKEY) { | |
5220 | return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); | |
b7f378d1 | 5221 | } |
5374b03b RG |
5222 | |
5223 | if (isRootServer(ip)) { | |
5224 | setLWResult(res, 0, false, false, true); | |
5225 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5226 | addDS(DNSName("com."), 300, res->d_records, keys); | |
5227 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
5228 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
b7f378d1 RG |
5229 | return 1; |
5230 | } | |
5374b03b RG |
5231 | |
5232 | if (ip == ComboAddress("192.0.2.1:53")) { | |
5233 | if (domain == DNSName("com.")) { | |
5234 | setLWResult(res, 0, true, false, true); | |
5235 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
5236 | addRRSIG(keys, res->d_records, domain, 300); | |
b7f378d1 | 5237 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); |
5374b03b | 5238 | addRRSIG(keys, res->d_records, domain, 300); |
b7f378d1 | 5239 | } |
5374b03b RG |
5240 | else { |
5241 | setLWResult(res, 0, false, false, true); | |
5242 | addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5243 | addDS(auth, 300, res->d_records, keys); | |
5244 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
5245 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
b7f378d1 | 5246 | } |
5374b03b RG |
5247 | return 1; |
5248 | } | |
5249 | ||
5250 | if (ip == ComboAddress("192.0.2.2:53")) { | |
5251 | if (type == QType::NS) { | |
5252 | setLWResult(res, 0, true, false, true); | |
5253 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
5254 | addRRSIG(keys, res->d_records, auth, 300); | |
5255 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
5256 | addRRSIG(keys, res->d_records, auth, 300); | |
5257 | } | |
5258 | else { | |
5259 | setLWResult(res, RCode::NoError, true, false, true); | |
5260 | addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); | |
5261 | addRRSIG(keys, res->d_records, auth, 300); | |
b7f378d1 | 5262 | } |
5374b03b | 5263 | return 1; |
b7f378d1 RG |
5264 | } |
5265 | ||
5266 | return 0; | |
5267 | }); | |
5268 | ||
5269 | vector<DNSRecord> ret; | |
5270 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5271 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5272 | /* Should be insecure because of the NTA */ | |
5273 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
5274 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
5374b03b | 5275 | BOOST_CHECK_EQUAL(queriesCount, 5); |
b7f378d1 RG |
5276 | |
5277 | /* again, to test the cache */ | |
5278 | ret.clear(); | |
5279 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5280 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5281 | /* Should be insecure because of the NTA */ | |
5282 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
5283 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
5374b03b | 5284 | BOOST_CHECK_EQUAL(queriesCount, 5); |
b7f378d1 RG |
5285 | } |
5286 | ||
5287 | BOOST_AUTO_TEST_CASE(test_dnssec_bogus_with_nta) { | |
5288 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 5289 | initSR(sr, true); |
b7f378d1 | 5290 | |
0c43f455 | 5291 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
b7f378d1 RG |
5292 | |
5293 | primeHints(); | |
5294 | const DNSName target("powerdns.com."); | |
5295 | const ComboAddress targetAddr("192.0.2.42"); | |
5296 | testkeysset_t keys; | |
5297 | ||
5298 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
5299 | luaconfsCopy.dsAnchors.clear(); | |
5300 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
5301 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5302 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5303 | ||
5304 | /* Add a NTA for "powerdns.com" */ | |
5305 | luaconfsCopy.negAnchors[target] = "NTA for PowerDNS.com"; | |
5306 | ||
5307 | g_luaconfs.setState(luaconfsCopy); | |
5308 | ||
5309 | size_t queriesCount = 0; | |
5310 | ||
0bd2e252 | 5311 | sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
b7f378d1 RG |
5312 | queriesCount++; |
5313 | ||
5314 | if (type == QType::DS || type == QType::DNSKEY) { | |
5e543cab | 5315 | setLWResult(res, 0, true, false, true); |
b7f378d1 RG |
5316 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
5317 | return 1; | |
5318 | } | |
f24465e5 | 5319 | else { |
b7f378d1 RG |
5320 | if (isRootServer(ip)) { |
5321 | setLWResult(res, 0, false, false, true); | |
5322 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5323 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
5324 | return 1; | |
5325 | } | |
5326 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
f24465e5 RG |
5327 | if (domain == DNSName("com.")) { |
5328 | setLWResult(res, 0, true, false, true); | |
5329 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
5330 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
5331 | } | |
5332 | else { | |
5333 | setLWResult(res, 0, false, false, true); | |
5334 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5335 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
5336 | } | |
b7f378d1 RG |
5337 | return 1; |
5338 | } | |
5339 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
f24465e5 RG |
5340 | if (type == QType::NS) { |
5341 | setLWResult(res, 0, true, false, true); | |
5342 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
5343 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
5344 | } | |
5345 | else { | |
5346 | setLWResult(res, RCode::NoError, true, false, true); | |
5347 | addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); | |
5348 | } | |
b7f378d1 RG |
5349 | return 1; |
5350 | } | |
5351 | } | |
5352 | ||
5353 | return 0; | |
5354 | }); | |
5355 | ||
5356 | /* There is TA for root but no DS/DNSKEY/RRSIG, should be Bogus, but.. */ | |
5357 | vector<DNSRecord> ret; | |
5358 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5359 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5360 | /* Should be insecure because of the NTA */ | |
5361 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
5362 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
5374b03b | 5363 | BOOST_CHECK_EQUAL(queriesCount, 4); |
b7f378d1 RG |
5364 | |
5365 | /* again, to test the cache */ | |
5366 | ret.clear(); | |
5367 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5368 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5369 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
5370 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
5374b03b | 5371 | BOOST_CHECK_EQUAL(queriesCount, 4); |
b7f378d1 RG |
5372 | } |
5373 | ||
5374 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec) { | |
5375 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 5376 | initSR(sr, true); |
b7f378d1 | 5377 | |
0c43f455 | 5378 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
b7f378d1 RG |
5379 | |
5380 | primeHints(); | |
5381 | const DNSName target("powerdns.com."); | |
5382 | testkeysset_t keys; | |
5383 | ||
5384 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
5385 | luaconfsCopy.dsAnchors.clear(); | |
5386 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
5387 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5388 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5389 | ||
5390 | g_luaconfs.setState(luaconfsCopy); | |
5391 | ||
5392 | size_t queriesCount = 0; | |
5393 | ||
0bd2e252 | 5394 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
b7f378d1 RG |
5395 | queriesCount++; |
5396 | ||
5374b03b RG |
5397 | if (type == QType::DS || type == QType::DNSKEY) { |
5398 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
b7f378d1 | 5399 | } |
f24465e5 | 5400 | else { |
b7f378d1 RG |
5401 | if (isRootServer(ip)) { |
5402 | setLWResult(res, 0, false, false, true); | |
5403 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5404 | addDS(DNSName("com."), 300, res->d_records, keys); | |
5405 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
5406 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
5407 | return 1; | |
5408 | } | |
5409 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
f24465e5 RG |
5410 | if (domain == DNSName("com.")) { |
5411 | setLWResult(res, 0, true, false, true); | |
5412 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
5413 | addRRSIG(keys, res->d_records, domain, 300); | |
5414 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
5415 | addRRSIG(keys, res->d_records, domain, 300); | |
5416 | } | |
5417 | else { | |
5418 | setLWResult(res, 0, false, false, true); | |
5419 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5420 | addDS(domain, 300, res->d_records, keys); | |
5421 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
5422 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
5423 | } | |
b7f378d1 RG |
5424 | return 1; |
5425 | } | |
5426 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
f24465e5 RG |
5427 | if (type == QType::NS) { |
5428 | setLWResult(res, 0, true, false, true); | |
5429 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
5430 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
5431 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
5432 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
5433 | } | |
5434 | else { | |
5435 | setLWResult(res, 0, true, false, true); | |
5436 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
5437 | addRRSIG(keys, res->d_records, domain, 300); | |
5438 | addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS, QType::DNSKEY }, 600, res->d_records); | |
5439 | addRRSIG(keys, res->d_records, domain, 300); | |
5440 | } | |
b7f378d1 RG |
5441 | return 1; |
5442 | } | |
5443 | } | |
5444 | ||
5445 | return 0; | |
5446 | }); | |
5447 | ||
5448 | vector<DNSRecord> ret; | |
5449 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5450 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5451 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
5452 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
f24465e5 | 5453 | BOOST_CHECK_EQUAL(queriesCount, 8); |
b7f378d1 RG |
5454 | |
5455 | /* again, to test the cache */ | |
5456 | ret.clear(); | |
5457 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5458 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5459 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
5460 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
f24465e5 | 5461 | BOOST_CHECK_EQUAL(queriesCount, 8); |
b7f378d1 RG |
5462 | } |
5463 | ||
5464 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_nxdomain_nsec) { | |
5465 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 5466 | initSR(sr, true); |
b7f378d1 | 5467 | |
0c43f455 | 5468 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
b7f378d1 RG |
5469 | |
5470 | primeHints(); | |
5471 | const DNSName target("nx.powerdns.com."); | |
5472 | testkeysset_t keys; | |
5473 | ||
5474 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
5475 | luaconfsCopy.dsAnchors.clear(); | |
5476 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
5477 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5478 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5479 | ||
5480 | g_luaconfs.setState(luaconfsCopy); | |
5481 | ||
5482 | size_t queriesCount = 0; | |
5483 | ||
0bd2e252 | 5484 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
b7f378d1 RG |
5485 | queriesCount++; |
5486 | ||
5487 | DNSName auth = domain; | |
5488 | if (domain == target) { | |
5489 | auth = DNSName("powerdns.com."); | |
5490 | } | |
5374b03b RG |
5491 | if (type == QType::DS || type == QType::DNSKEY) { |
5492 | if (type == QType::DS && domain == target) { | |
5493 | setLWResult(res, RCode::NXDomain, true, false, true); | |
5494 | addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
5495 | addRRSIG(keys, res->d_records, auth, 300); | |
5496 | addNSECRecordToLW(DNSName("nw.powerdns.com."), DNSName("ny.powerdns.com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records); | |
5497 | addRRSIG(keys, res->d_records, auth, 300); | |
5498 | return 1; | |
5499 | } | |
5500 | else { | |
5501 | return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); | |
5502 | } | |
b7f378d1 | 5503 | } |
f24465e5 | 5504 | else { |
b7f378d1 RG |
5505 | if (isRootServer(ip)) { |
5506 | setLWResult(res, 0, false, false, true); | |
5507 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5508 | addDS(DNSName("com."), 300, res->d_records, keys); | |
5509 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
5510 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
5511 | return 1; | |
5512 | } | |
5513 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
f24465e5 RG |
5514 | if (domain == DNSName("com.")) { |
5515 | setLWResult(res, 0, true, false, true); | |
5516 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
5517 | addRRSIG(keys, res->d_records, domain, 300); | |
5518 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
5519 | addRRSIG(keys, res->d_records, domain, 300); | |
5520 | } | |
5521 | else { | |
5522 | setLWResult(res, 0, false, false, true); | |
5523 | addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5524 | addDS(auth, 300, res->d_records, keys); | |
5525 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
5526 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
5527 | } | |
b7f378d1 RG |
5528 | return 1; |
5529 | } | |
5530 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
f24465e5 RG |
5531 | if (type == QType::NS) { |
5532 | setLWResult(res, 0, true, false, true); | |
5533 | if (domain == DNSName("powerdns.com.")) { | |
5534 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
5535 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
5536 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
5537 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
5538 | } | |
5539 | else { | |
5540 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
5541 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
5542 | addNSECRecordToLW(DNSName("nx.powerdns.com."), DNSName("nz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
5543 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
5544 | } | |
5545 | } | |
5546 | else { | |
5547 | setLWResult(res, RCode::NXDomain, true, false, true); | |
5548 | addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
5549 | addRRSIG(keys, res->d_records, auth, 300); | |
5550 | addNSECRecordToLW(DNSName("nw.powerdns.com."), DNSName("ny.powerdns.com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records); | |
5551 | addRRSIG(keys, res->d_records, auth, 300); | |
9b061cf5 RG |
5552 | /* add wildcard denial */ |
5553 | addNSECRecordToLW(DNSName("powerdns.com."), DNSName("a.powerdns.com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records); | |
5554 | addRRSIG(keys, res->d_records, auth, 300); | |
f24465e5 | 5555 | } |
b7f378d1 RG |
5556 | return 1; |
5557 | } | |
5558 | } | |
5559 | ||
5560 | return 0; | |
5561 | }); | |
5562 | ||
5563 | vector<DNSRecord> ret; | |
5564 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5565 | BOOST_CHECK_EQUAL(res, RCode::NXDomain); | |
5566 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
9b061cf5 | 5567 | BOOST_REQUIRE_EQUAL(ret.size(), 6); |
f24465e5 | 5568 | BOOST_CHECK_EQUAL(queriesCount, 9); |
b7f378d1 RG |
5569 | |
5570 | /* again, to test the cache */ | |
5571 | ret.clear(); | |
5572 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5573 | BOOST_CHECK_EQUAL(res, RCode::NXDomain); | |
5574 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
9b061cf5 | 5575 | BOOST_REQUIRE_EQUAL(ret.size(), 6); |
f24465e5 | 5576 | BOOST_CHECK_EQUAL(queriesCount, 9); |
b7f378d1 RG |
5577 | } |
5578 | ||
2b984251 RG |
5579 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard) { |
5580 | std::unique_ptr<SyncRes> sr; | |
5581 | initSR(sr, true); | |
5582 | ||
0c43f455 | 5583 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
2b984251 RG |
5584 | |
5585 | primeHints(); | |
5586 | const DNSName target("www.powerdns.com."); | |
5587 | testkeysset_t keys; | |
5588 | ||
5589 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
5590 | luaconfsCopy.dsAnchors.clear(); | |
5591 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
5592 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5593 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5594 | ||
5595 | g_luaconfs.setState(luaconfsCopy); | |
5596 | ||
5597 | size_t queriesCount = 0; | |
5598 | ||
0bd2e252 | 5599 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
2b984251 RG |
5600 | queriesCount++; |
5601 | ||
5374b03b RG |
5602 | if (type == QType::DS || type == QType::DNSKEY) { |
5603 | if (type == QType::DS && domain == target) { | |
5604 | setLWResult(res, RCode::NoError, true, false, true); | |
5605 | addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
5606 | addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); | |
5607 | addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
5608 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
5609 | return 1; | |
5610 | } | |
5611 | else { | |
5612 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
5613 | } | |
2b984251 | 5614 | } |
f24465e5 | 5615 | else { |
2b984251 RG |
5616 | if (isRootServer(ip)) { |
5617 | setLWResult(res, 0, false, false, true); | |
5618 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5619 | addDS(DNSName("com."), 300, res->d_records, keys); | |
5620 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
5621 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
5622 | return 1; | |
5623 | } | |
5624 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
f24465e5 RG |
5625 | if (domain == DNSName("com.")) { |
5626 | setLWResult(res, 0, true, false, true); | |
5627 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
5628 | addRRSIG(keys, res->d_records, domain, 300); | |
5629 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
5630 | addRRSIG(keys, res->d_records, domain, 300); | |
5631 | } | |
5632 | else { | |
5633 | setLWResult(res, 0, false, false, true); | |
5634 | addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5635 | addDS(DNSName("powerdns.com."), 300, res->d_records, keys); | |
5636 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
5637 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
5638 | } | |
2b984251 RG |
5639 | return 1; |
5640 | } | |
5641 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
5642 | setLWResult(res, 0, true, false, true); | |
f24465e5 RG |
5643 | if (type == QType::NS) { |
5644 | if (domain == DNSName("powerdns.com.")) { | |
5645 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
5646 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
5647 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
5648 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
5649 | } | |
5650 | else { | |
5651 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
5652 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
5653 | addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
5654 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
5655 | } | |
5656 | } | |
5657 | else { | |
5658 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
5659 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com")); | |
9b061cf5 | 5660 | /* we need to add the proof that this name does not exist, so the wildcard may apply */ |
f24465e5 RG |
5661 | addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); |
5662 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
5663 | } | |
2b984251 RG |
5664 | return 1; |
5665 | } | |
5666 | } | |
5667 | ||
5668 | return 0; | |
5669 | }); | |
5670 | ||
5671 | vector<DNSRecord> ret; | |
5672 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5673 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5674 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
5675 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
f24465e5 | 5676 | BOOST_CHECK_EQUAL(queriesCount, 9); |
2b984251 RG |
5677 | |
5678 | /* again, to test the cache */ | |
5679 | ret.clear(); | |
5680 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5681 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5682 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
5683 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
f24465e5 | 5684 | BOOST_CHECK_EQUAL(queriesCount, 9); |
2b984251 RG |
5685 | } |
5686 | ||
9b061cf5 RG |
5687 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_nodata_nowildcard) { |
5688 | std::unique_ptr<SyncRes> sr; | |
5689 | initSR(sr, true); | |
5690 | ||
5691 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
5692 | ||
5693 | primeHints(); | |
5694 | const DNSName target("www.com."); | |
5695 | testkeysset_t keys; | |
5696 | ||
5697 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
5698 | luaconfsCopy.dsAnchors.clear(); | |
5699 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
5700 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5701 | ||
5702 | g_luaconfs.setState(luaconfsCopy); | |
5703 | ||
5704 | size_t queriesCount = 0; | |
5705 | ||
0bd2e252 | 5706 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
9b061cf5 RG |
5707 | queriesCount++; |
5708 | ||
5709 | if (type == QType::DS || type == QType::DNSKEY) { | |
5710 | if (type == QType::DS && domain == target) { | |
5711 | DNSName auth("com."); | |
5712 | setLWResult(res, 0, true, false, true); | |
5713 | ||
5714 | addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); | |
5715 | addRRSIG(keys, res->d_records, auth, 300); | |
5716 | /* add a NSEC denying the DS AND the existence of a cut (no NS) */ | |
5717 | addNSECRecordToLW(domain, DNSName("z") + domain, { QType::NSEC }, 600, res->d_records); | |
5718 | addRRSIG(keys, res->d_records, auth, 300); | |
5719 | return 1; | |
5720 | } | |
5721 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
5722 | } | |
5723 | else { | |
5724 | if (isRootServer(ip)) { | |
5725 | setLWResult(res, 0, false, false, true); | |
5726 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5727 | addDS(DNSName("com."), 300, res->d_records, keys); | |
5728 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
5729 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
5730 | return 1; | |
5731 | } | |
5732 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
5733 | setLWResult(res, 0, true, false, true); | |
5734 | /* no data */ | |
5735 | addRecordToLW(res, DNSName("com."), QType::SOA, "com. com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
5736 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
5737 | /* no record for this name */ | |
5738 | addNSECRecordToLW(DNSName("wwv.com."), DNSName("wwx.com."), { QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
5739 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
5740 | /* a wildcard matches but has no record for this type */ | |
5741 | addNSECRecordToLW(DNSName("*.com."), DNSName("com."), { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
5742 | addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com")); | |
5743 | return 1; | |
5744 | } | |
5745 | } | |
5746 | ||
5747 | return 0; | |
5748 | }); | |
5749 | ||
5750 | vector<DNSRecord> ret; | |
5751 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5752 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5753 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
5754 | BOOST_REQUIRE_EQUAL(ret.size(), 6); | |
5755 | BOOST_CHECK_EQUAL(queriesCount, 6); | |
5756 | ||
5757 | /* again, to test the cache */ | |
5758 | ret.clear(); | |
5759 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5760 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5761 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
5762 | BOOST_REQUIRE_EQUAL(ret.size(), 6); | |
5763 | BOOST_CHECK_EQUAL(queriesCount, 6); | |
5764 | } | |
5765 | ||
5766 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard) { | |
5767 | std::unique_ptr<SyncRes> sr; | |
5768 | initSR(sr, true); | |
5769 | ||
5770 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
5771 | ||
5772 | primeHints(); | |
5773 | const DNSName target("www.com."); | |
5774 | testkeysset_t keys; | |
5775 | ||
5776 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
5777 | luaconfsCopy.dsAnchors.clear(); | |
5778 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
5779 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5780 | ||
5781 | g_luaconfs.setState(luaconfsCopy); | |
5782 | ||
5783 | size_t queriesCount = 0; | |
5784 | ||
0bd2e252 | 5785 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
9b061cf5 RG |
5786 | queriesCount++; |
5787 | ||
5788 | if (type == QType::DS || type == QType::DNSKEY) { | |
5789 | if (type == QType::DS && domain == target) { | |
5790 | DNSName auth("com."); | |
5791 | setLWResult(res, 0, true, false, true); | |
5792 | ||
5793 | addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); | |
5794 | addRRSIG(keys, res->d_records, auth, 300); | |
5795 | /* add a NSEC3 denying the DS AND the existence of a cut (no NS) */ | |
5796 | /* first the closest encloser */ | |
5797 | addNSEC3UnhashedRecordToLW(DNSName("com."), auth, "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records); | |
5798 | addRRSIG(keys, res->d_records, auth, 300); | |
5799 | /* then the next closer */ | |
5800 | addNSEC3NarrowRecordToLW(domain, DNSName("com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records); | |
5801 | addRRSIG(keys, res->d_records, auth, 300); | |
5802 | /* a wildcard matches but has no record for this type */ | |
5803 | addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
5804 | addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com")); | |
5805 | return 1; | |
5806 | } | |
5807 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
5808 | } | |
5809 | else { | |
5810 | if (isRootServer(ip)) { | |
5811 | setLWResult(res, 0, false, false, true); | |
5812 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5813 | addDS(DNSName("com."), 300, res->d_records, keys); | |
5814 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
5815 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
5816 | return 1; | |
5817 | } | |
5818 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
5819 | setLWResult(res, 0, true, false, true); | |
5820 | /* no data */ | |
5821 | addRecordToLW(res, DNSName("com."), QType::SOA, "com. com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
5822 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
5823 | /* no record for this name */ | |
5824 | /* first the closest encloser */ | |
5825 | addNSEC3UnhashedRecordToLW(DNSName("com."), DNSName("com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records); | |
5826 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
5827 | /* then the next closer */ | |
5828 | addNSEC3NarrowRecordToLW(domain, DNSName("com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records); | |
5829 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
5830 | /* a wildcard matches but has no record for this type */ | |
5831 | addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
5832 | addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com")); | |
5833 | return 1; | |
5834 | } | |
5835 | } | |
5836 | ||
5837 | return 0; | |
5838 | }); | |
5839 | ||
5840 | vector<DNSRecord> ret; | |
5841 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5842 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5843 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
5844 | BOOST_REQUIRE_EQUAL(ret.size(), 8); | |
5845 | BOOST_CHECK_EQUAL(queriesCount, 6); | |
5846 | ||
5847 | /* again, to test the cache */ | |
5848 | ret.clear(); | |
5849 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5850 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5851 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
5852 | BOOST_REQUIRE_EQUAL(ret.size(), 8); | |
5853 | BOOST_CHECK_EQUAL(queriesCount, 6); | |
5854 | } | |
5855 | ||
b7c40613 RG |
5856 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_too_many_iterations) { |
5857 | std::unique_ptr<SyncRes> sr; | |
5858 | initSR(sr, true); | |
5859 | ||
5860 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
5861 | ||
5862 | primeHints(); | |
5863 | const DNSName target("www.com."); | |
5864 | testkeysset_t keys; | |
5865 | ||
5866 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
5867 | luaconfsCopy.dsAnchors.clear(); | |
5868 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
5869 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5870 | ||
5871 | g_luaconfs.setState(luaconfsCopy); | |
5872 | ||
5873 | size_t queriesCount = 0; | |
5874 | ||
0bd2e252 | 5875 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
b7c40613 RG |
5876 | queriesCount++; |
5877 | ||
5878 | if (type == QType::DS || type == QType::DNSKEY) { | |
5879 | if (type == QType::DS && domain == target) { | |
5880 | DNSName auth("com."); | |
5881 | setLWResult(res, 0, true, false, true); | |
5882 | ||
5883 | addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); | |
5884 | addRRSIG(keys, res->d_records, auth, 300); | |
5885 | /* add a NSEC3 denying the DS AND the existence of a cut (no NS) */ | |
5886 | /* first the closest encloser */ | |
5887 | addNSEC3UnhashedRecordToLW(DNSName("com."), auth, "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100); | |
5888 | addRRSIG(keys, res->d_records, auth, 300); | |
5889 | /* then the next closer */ | |
5890 | addNSEC3NarrowRecordToLW(domain, DNSName("com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100); | |
5891 | addRRSIG(keys, res->d_records, auth, 300); | |
5892 | /* a wildcard matches but has no record for this type */ | |
5893 | addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records, g_maxNSEC3Iterations + 100); | |
5894 | addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com")); | |
5895 | return 1; | |
5896 | } | |
5897 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
5898 | } | |
5899 | else { | |
5900 | if (isRootServer(ip)) { | |
5901 | setLWResult(res, 0, false, false, true); | |
5902 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5903 | addDS(DNSName("com."), 300, res->d_records, keys); | |
5904 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
5905 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
5906 | return 1; | |
5907 | } | |
5908 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
5909 | setLWResult(res, 0, true, false, true); | |
5910 | /* no data */ | |
5911 | addRecordToLW(res, DNSName("com."), QType::SOA, "com. com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
5912 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
5913 | /* no record for this name */ | |
5914 | /* first the closest encloser */ | |
5915 | addNSEC3UnhashedRecordToLW(DNSName("com."), DNSName("com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100); | |
5916 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
5917 | /* then the next closer */ | |
5918 | addNSEC3NarrowRecordToLW(domain, DNSName("com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100); | |
5919 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
5920 | /* a wildcard matches but has no record for this type */ | |
5921 | addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records, g_maxNSEC3Iterations + 100); | |
5922 | addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com")); | |
5923 | return 1; | |
5924 | } | |
5925 | } | |
5926 | ||
5927 | return 0; | |
5928 | }); | |
5929 | ||
5930 | /* we are generating NSEC3 with more iterations than we allow, so we should go Insecure */ | |
5931 | vector<DNSRecord> ret; | |
5932 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5933 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5934 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
5935 | BOOST_REQUIRE_EQUAL(ret.size(), 8); | |
5936 | BOOST_CHECK_EQUAL(queriesCount, 6); | |
5937 | ||
5938 | /* again, to test the cache */ | |
5939 | ret.clear(); | |
5940 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
5941 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
5942 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
5943 | BOOST_REQUIRE_EQUAL(ret.size(), 8); | |
5944 | BOOST_CHECK_EQUAL(queriesCount, 6); | |
5945 | } | |
5946 | ||
9b061cf5 RG |
5947 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_wildcard) { |
5948 | std::unique_ptr<SyncRes> sr; | |
5949 | initSR(sr, true); | |
5950 | ||
5951 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
5952 | ||
5953 | primeHints(); | |
e4894ce0 | 5954 | const DNSName target("www.sub.powerdns.com."); |
9b061cf5 RG |
5955 | testkeysset_t keys; |
5956 | ||
5957 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
5958 | luaconfsCopy.dsAnchors.clear(); | |
5959 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
5960 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5961 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
5962 | ||
5963 | g_luaconfs.setState(luaconfsCopy); | |
5964 | ||
5965 | size_t queriesCount = 0; | |
5966 | ||
0bd2e252 | 5967 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
9b061cf5 RG |
5968 | queriesCount++; |
5969 | ||
5970 | if (type == QType::DS || type == QType::DNSKEY) { | |
e4894ce0 | 5971 | if (type == QType::DS && domain.isPartOf(DNSName("sub.powerdns.com"))) { |
9b061cf5 RG |
5972 | setLWResult(res, RCode::NoError, true, false, true); |
5973 | addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
5974 | addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); | |
e4894ce0 RG |
5975 | if (domain == DNSName("sub.powerdns.com")) { |
5976 | addNSECRecordToLW(DNSName("sub.powerdns.com."), DNSName("sud.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
5977 | } | |
5978 | else if (domain == target) { | |
5979 | addNSECRecordToLW(DNSName("www.sub.powerdns.com."), DNSName("wwz.sub.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
5980 | } | |
9b061cf5 RG |
5981 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); |
5982 | return 1; | |
5983 | } | |
5984 | else { | |
5985 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
5986 | } | |
5987 | } | |
5988 | else { | |
5989 | if (isRootServer(ip)) { | |
5990 | setLWResult(res, 0, false, false, true); | |
5991 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
5992 | addDS(DNSName("com."), 300, res->d_records, keys); | |
5993 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
5994 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
5995 | return 1; | |
5996 | } | |
5997 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
5998 | if (domain == DNSName("com.")) { | |
5999 | setLWResult(res, 0, true, false, true); | |
6000 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
6001 | addRRSIG(keys, res->d_records, domain, 300); | |
6002 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6003 | addRRSIG(keys, res->d_records, domain, 300); | |
6004 | } | |
6005 | else { | |
6006 | setLWResult(res, 0, false, false, true); | |
6007 | addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6008 | addDS(DNSName("powerdns.com."), 300, res->d_records, keys); | |
6009 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
6010 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6011 | } | |
6012 | return 1; | |
6013 | } | |
6014 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
6015 | setLWResult(res, 0, true, false, true); | |
6016 | if (type == QType::NS) { | |
6017 | if (domain == DNSName("powerdns.com.")) { | |
6018 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
6019 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6020 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6021 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6022 | } | |
6023 | else { | |
6024 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
6025 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6026 | addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
6027 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6028 | } | |
6029 | } | |
6030 | else { | |
6031 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
6032 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com")); | |
6033 | /* we need to add the proof that this name does not exist, so the wildcard may apply */ | |
6034 | /* first the closest encloser */ | |
6035 | addNSEC3UnhashedRecordToLW(DNSName("powerdns.com."), DNSName("powerdns.com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records); | |
6036 | addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); | |
6037 | /* then the next closer */ | |
e4894ce0 | 6038 | addNSEC3NarrowRecordToLW(DNSName("sub.powerdns.com."), DNSName("powerdns.com."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records); |
9b061cf5 RG |
6039 | addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); |
6040 | } | |
6041 | return 1; | |
6042 | } | |
6043 | } | |
6044 | ||
6045 | return 0; | |
6046 | }); | |
6047 | ||
6048 | vector<DNSRecord> ret; | |
6049 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6050 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6051 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
6052 | BOOST_REQUIRE_EQUAL(ret.size(), 6); | |
e4894ce0 | 6053 | BOOST_CHECK_EQUAL(queriesCount, 10); |
9b061cf5 RG |
6054 | |
6055 | /* again, to test the cache */ | |
6056 | ret.clear(); | |
6057 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6058 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6059 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
6060 | BOOST_REQUIRE_EQUAL(ret.size(), 6); | |
e4894ce0 | 6061 | BOOST_CHECK_EQUAL(queriesCount, 10); |
9b061cf5 RG |
6062 | } |
6063 | ||
b7c40613 RG |
6064 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_wildcard_too_many_iterations) { |
6065 | std::unique_ptr<SyncRes> sr; | |
6066 | initSR(sr, true); | |
6067 | ||
6068 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
6069 | ||
6070 | primeHints(); | |
6071 | const DNSName target("www.powerdns.com."); | |
6072 | testkeysset_t keys; | |
6073 | ||
6074 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
6075 | luaconfsCopy.dsAnchors.clear(); | |
6076 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
6077 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6078 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6079 | ||
6080 | g_luaconfs.setState(luaconfsCopy); | |
6081 | ||
6082 | size_t queriesCount = 0; | |
6083 | ||
0bd2e252 | 6084 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
b7c40613 RG |
6085 | queriesCount++; |
6086 | ||
6087 | if (type == QType::DS || type == QType::DNSKEY) { | |
6088 | if (type == QType::DS && domain == target) { | |
6089 | setLWResult(res, RCode::NoError, true, false, true); | |
6090 | addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
6091 | addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); | |
6092 | addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
6093 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6094 | return 1; | |
6095 | } | |
6096 | else { | |
6097 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
6098 | } | |
6099 | } | |
6100 | else { | |
6101 | if (isRootServer(ip)) { | |
6102 | setLWResult(res, 0, false, false, true); | |
6103 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6104 | addDS(DNSName("com."), 300, res->d_records, keys); | |
6105 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
6106 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6107 | return 1; | |
6108 | } | |
6109 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
6110 | if (domain == DNSName("com.")) { | |
6111 | setLWResult(res, 0, true, false, true); | |
6112 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
6113 | addRRSIG(keys, res->d_records, domain, 300); | |
6114 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6115 | addRRSIG(keys, res->d_records, domain, 300); | |
6116 | } | |
6117 | else { | |
6118 | setLWResult(res, 0, false, false, true); | |
6119 | addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6120 | addDS(DNSName("powerdns.com."), 300, res->d_records, keys); | |
6121 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
6122 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6123 | } | |
6124 | return 1; | |
6125 | } | |
6126 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
6127 | setLWResult(res, 0, true, false, true); | |
6128 | if (type == QType::NS) { | |
6129 | if (domain == DNSName("powerdns.com.")) { | |
6130 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
6131 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6132 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6133 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6134 | } | |
6135 | else { | |
6136 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
6137 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6138 | addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
6139 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6140 | } | |
6141 | } | |
6142 | else { | |
6143 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
6144 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com")); | |
6145 | /* we need to add the proof that this name does not exist, so the wildcard may apply */ | |
6146 | /* first the closest encloser */ | |
6147 | addNSEC3UnhashedRecordToLW(DNSName("powerdns.com."), DNSName("powerdns.com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records); | |
6148 | addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); | |
6149 | /* then the next closer */ | |
6150 | addNSEC3NarrowRecordToLW(DNSName("www.powerdns.com."), DNSName("powerdns.com."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100); | |
6151 | addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); | |
6152 | } | |
6153 | return 1; | |
6154 | } | |
6155 | } | |
6156 | ||
6157 | return 0; | |
6158 | }); | |
6159 | ||
6160 | /* the NSEC3 providing the denial of existence proof for the next closer has too many iterations, | |
6161 | we should end up Insecure */ | |
6162 | vector<DNSRecord> ret; | |
6163 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6164 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6165 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
6166 | BOOST_REQUIRE_EQUAL(ret.size(), 6); | |
6167 | BOOST_CHECK_EQUAL(queriesCount, 9); | |
6168 | ||
6169 | /* again, to test the cache */ | |
6170 | ret.clear(); | |
6171 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6172 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6173 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
6174 | BOOST_REQUIRE_EQUAL(ret.size(), 6); | |
6175 | BOOST_CHECK_EQUAL(queriesCount, 9); | |
6176 | } | |
6177 | ||
9b061cf5 RG |
6178 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_missing) { |
6179 | std::unique_ptr<SyncRes> sr; | |
6180 | initSR(sr, true); | |
6181 | ||
6182 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
6183 | ||
6184 | primeHints(); | |
6185 | const DNSName target("www.powerdns.com."); | |
6186 | testkeysset_t keys; | |
6187 | ||
6188 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
6189 | luaconfsCopy.dsAnchors.clear(); | |
6190 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
6191 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6192 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6193 | ||
6194 | g_luaconfs.setState(luaconfsCopy); | |
6195 | ||
6196 | size_t queriesCount = 0; | |
6197 | ||
0bd2e252 | 6198 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
9b061cf5 RG |
6199 | queriesCount++; |
6200 | ||
6201 | if (type == QType::DS || type == QType::DNSKEY) { | |
6202 | if (type == QType::DS && domain == target) { | |
6203 | setLWResult(res, RCode::NoError, true, false, true); | |
6204 | addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
6205 | addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); | |
6206 | addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
6207 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6208 | return 1; | |
6209 | } | |
6210 | else { | |
6211 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
6212 | } | |
6213 | } | |
6214 | else { | |
6215 | if (isRootServer(ip)) { | |
6216 | setLWResult(res, 0, false, false, true); | |
6217 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6218 | addDS(DNSName("com."), 300, res->d_records, keys); | |
6219 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
6220 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6221 | return 1; | |
6222 | } | |
6223 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
6224 | if (domain == DNSName("com.")) { | |
6225 | setLWResult(res, 0, true, false, true); | |
6226 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
6227 | addRRSIG(keys, res->d_records, domain, 300); | |
6228 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6229 | addRRSIG(keys, res->d_records, domain, 300); | |
6230 | } | |
6231 | else { | |
6232 | setLWResult(res, 0, false, false, true); | |
6233 | addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6234 | addDS(DNSName("powerdns.com."), 300, res->d_records, keys); | |
6235 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
6236 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6237 | } | |
6238 | return 1; | |
6239 | } | |
6240 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
6241 | setLWResult(res, 0, true, false, true); | |
6242 | if (type == QType::NS) { | |
6243 | if (domain == DNSName("powerdns.com.")) { | |
6244 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
6245 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6246 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6247 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6248 | } | |
6249 | else { | |
6250 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
6251 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6252 | addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
6253 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6254 | } | |
6255 | } | |
6256 | else { | |
6257 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
6258 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com")); | |
6259 | } | |
6260 | return 1; | |
6261 | } | |
6262 | } | |
6263 | ||
6264 | return 0; | |
6265 | }); | |
6266 | ||
6267 | vector<DNSRecord> ret; | |
6268 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6269 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6270 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
6271 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
6272 | BOOST_CHECK_EQUAL(queriesCount, 9); | |
6273 | ||
6274 | /* again, to test the cache */ | |
6275 | ret.clear(); | |
6276 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6277 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6278 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
6279 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
6280 | BOOST_CHECK_EQUAL(queriesCount, 9); | |
6281 | } | |
6282 | ||
a53e8fe3 RG |
6283 | BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_secure) { |
6284 | std::unique_ptr<SyncRes> sr; | |
6285 | initSR(sr, true); | |
6286 | ||
0c43f455 | 6287 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
a53e8fe3 RG |
6288 | |
6289 | primeHints(); | |
6290 | const DNSName target("www.powerdns.com."); | |
6291 | testkeysset_t keys; | |
6292 | ||
6293 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
6294 | luaconfsCopy.dsAnchors.clear(); | |
6295 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
6296 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6297 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6298 | ||
6299 | g_luaconfs.setState(luaconfsCopy); | |
6300 | ||
6301 | size_t queriesCount = 0; | |
6302 | size_t dsQueriesCount = 0; | |
6303 | ||
0bd2e252 | 6304 | sr->setAsyncCallback([target,&queriesCount,&dsQueriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
a53e8fe3 RG |
6305 | queriesCount++; |
6306 | ||
6307 | if (type == QType::DS) { | |
6308 | DNSName auth(domain); | |
6309 | auth.chopOff(); | |
6310 | dsQueriesCount++; | |
6311 | ||
6312 | setLWResult(res, 0, true, false, true); | |
6313 | addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER); | |
6314 | addRRSIG(keys, res->d_records, auth, 300); | |
6315 | return 1; | |
6316 | } | |
6317 | else if (type == QType::DNSKEY) { | |
6318 | setLWResult(res, 0, true, false, true); | |
6319 | addDNSKEY(keys, domain, 300, res->d_records); | |
6320 | addRRSIG(keys, res->d_records, domain, 300); | |
6321 | return 1; | |
6322 | } | |
f24465e5 | 6323 | else { |
a53e8fe3 RG |
6324 | if (isRootServer(ip)) { |
6325 | setLWResult(res, 0, false, false, true); | |
6326 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6327 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6328 | /* No DS on referral, and no denial of the DS either */ | |
6329 | return 1; | |
6330 | } | |
6331 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
f24465e5 RG |
6332 | if (domain == DNSName("com.")) { |
6333 | setLWResult(res, 0, true, false, true); | |
6334 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
6335 | addRRSIG(keys, res->d_records, domain, 300); | |
6336 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6337 | addRRSIG(keys, res->d_records, domain, 300); | |
6338 | } | |
6339 | else { | |
6340 | setLWResult(res, 0, false, false, true); | |
6341 | addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6342 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6343 | /* No DS on referral, and no denial of the DS either */ | |
6344 | } | |
a53e8fe3 RG |
6345 | return 1; |
6346 | } | |
6347 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
6348 | setLWResult(res, 0, true, false, true); | |
f24465e5 RG |
6349 | if (type == QType::NS) { |
6350 | if (domain == DNSName("powerdns.com.")) { | |
6351 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
6352 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6353 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6354 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6355 | } | |
6356 | else { | |
6357 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
6358 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6359 | addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
6360 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6361 | } | |
6362 | } | |
6363 | else { | |
6364 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
6365 | addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); | |
6366 | } | |
6367 | ||
a53e8fe3 RG |
6368 | return 1; |
6369 | } | |
6370 | } | |
6371 | ||
6372 | return 0; | |
6373 | }); | |
6374 | ||
6375 | vector<DNSRecord> ret; | |
6376 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6377 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6378 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
f24465e5 | 6379 | BOOST_REQUIRE_EQUAL(ret.size(), 2); |
5374b03b RG |
6380 | BOOST_CHECK_EQUAL(queriesCount, 9); |
6381 | BOOST_CHECK_EQUAL(dsQueriesCount, 3); | |
a53e8fe3 RG |
6382 | |
6383 | /* again, to test the cache */ | |
6384 | ret.clear(); | |
6385 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6386 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6387 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
f24465e5 | 6388 | BOOST_REQUIRE_EQUAL(ret.size(), 2); |
5374b03b RG |
6389 | BOOST_CHECK_EQUAL(queriesCount, 9); |
6390 | BOOST_CHECK_EQUAL(dsQueriesCount, 3); | |
a53e8fe3 RG |
6391 | } |
6392 | ||
f715542c RG |
6393 | BOOST_AUTO_TEST_CASE(test_dnssec_ds_sign_loop) { |
6394 | std::unique_ptr<SyncRes> sr; | |
6395 | initSR(sr, true); | |
6396 | ||
5d7b19c5 | 6397 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
f715542c RG |
6398 | |
6399 | primeHints(); | |
6400 | const DNSName target("www.powerdns.com."); | |
6401 | testkeysset_t keys; | |
6402 | ||
6403 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
6404 | luaconfsCopy.dsAnchors.clear(); | |
6405 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
6406 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
3cef03e9 | 6407 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); |
f715542c RG |
6408 | generateKeyMaterial(DNSName("www.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); |
6409 | ||
6410 | g_luaconfs.setState(luaconfsCopy); | |
6411 | ||
6412 | size_t queriesCount = 0; | |
6413 | ||
0bd2e252 | 6414 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f715542c RG |
6415 | queriesCount++; |
6416 | ||
6417 | if (type == QType::DS) { | |
6418 | DNSName auth(domain); | |
6419 | auth.chopOff(); | |
6420 | ||
6421 | setLWResult(res, 0, true, false, true); | |
6422 | if (domain == target) { | |
6423 | addRecordToLW(res, domain, QType::SOA, "ns1.powerdns.com. blah. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); | |
6424 | addRRSIG(keys, res->d_records, target, 300); | |
6425 | } | |
6426 | else { | |
6427 | addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER); | |
6428 | addRRSIG(keys, res->d_records, auth, 300); | |
6429 | } | |
6430 | return 1; | |
6431 | } | |
6432 | else if (type == QType::DNSKEY) { | |
6433 | setLWResult(res, 0, true, false, true); | |
6434 | addDNSKEY(keys, domain, 300, res->d_records); | |
6435 | addRRSIG(keys, res->d_records, domain, 300); | |
6436 | return 1; | |
6437 | } | |
6438 | else { | |
6439 | if (isRootServer(ip)) { | |
6440 | setLWResult(res, 0, false, false, true); | |
6441 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6442 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6443 | addDS(DNSName("com."), 300, res->d_records, keys); | |
6444 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
6445 | return 1; | |
6446 | } | |
6447 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
6448 | if (domain == DNSName("com.")) { | |
6449 | setLWResult(res, 0, true, false, true); | |
6450 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
6451 | addRRSIG(keys, res->d_records, domain, 300); | |
6452 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6453 | addRRSIG(keys, res->d_records, domain, 300); | |
6454 | } | |
6455 | else { | |
6456 | setLWResult(res, 0, false, false, true); | |
6457 | addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6458 | /* no DS */ | |
6459 | addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records); | |
6460 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
6461 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6462 | } | |
6463 | return 1; | |
6464 | } | |
6465 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
6466 | if (type == QType::NS) { | |
6467 | if (domain == DNSName("powerdns.com.")) { | |
6468 | setLWResult(res, RCode::Refused, false, false, true); | |
6469 | } | |
6470 | else { | |
6471 | setLWResult(res, 0, true, false, true); | |
6472 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
6473 | addRRSIG(keys, res->d_records, domain, 300); | |
6474 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6475 | addRRSIG(keys, res->d_records, domain, 300); | |
6476 | } | |
6477 | } | |
6478 | else { | |
6479 | setLWResult(res, 0, true, false, true); | |
6480 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
6481 | addRRSIG(keys, res->d_records, DNSName("www.powerdns.com"), 300); | |
6482 | } | |
6483 | ||
6484 | return 1; | |
6485 | } | |
6486 | } | |
6487 | ||
6488 | return 0; | |
6489 | }); | |
6490 | ||
6491 | vector<DNSRecord> ret; | |
6492 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6493 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6494 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
6495 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
3cef03e9 | 6496 | BOOST_CHECK_EQUAL(queriesCount, 9); |
f715542c RG |
6497 | |
6498 | /* again, to test the cache */ | |
6499 | ret.clear(); | |
6500 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6501 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6502 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
6503 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
3cef03e9 | 6504 | BOOST_CHECK_EQUAL(queriesCount, 9); |
f715542c RG |
6505 | } |
6506 | ||
8d2e7fa1 RG |
6507 | BOOST_AUTO_TEST_CASE(test_dnssec_dnskey_signed_child) { |
6508 | /* check that we don't accept a signer below us */ | |
6509 | std::unique_ptr<SyncRes> sr; | |
6510 | initSR(sr, true); | |
6511 | ||
6512 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
6513 | ||
6514 | primeHints(); | |
6515 | const DNSName target("www.powerdns.com."); | |
6516 | testkeysset_t keys; | |
6517 | ||
6518 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
6519 | luaconfsCopy.dsAnchors.clear(); | |
6520 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
6521 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6522 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6523 | generateKeyMaterial(DNSName("www.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6524 | generateKeyMaterial(DNSName("sub.www.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6525 | ||
6526 | g_luaconfs.setState(luaconfsCopy); | |
6527 | ||
6528 | size_t queriesCount = 0; | |
6529 | ||
0bd2e252 | 6530 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
8d2e7fa1 RG |
6531 | queriesCount++; |
6532 | ||
6533 | if (type == QType::DS) { | |
6534 | DNSName auth(domain); | |
6535 | auth.chopOff(); | |
6536 | ||
6537 | setLWResult(res, 0, true, false, true); | |
6538 | if (domain == target) { | |
6539 | addRecordToLW(res, domain, QType::SOA, "ns1.powerdns.com. blah. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); | |
6540 | addRRSIG(keys, res->d_records, target, 300); | |
6541 | } | |
6542 | else { | |
6543 | addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER); | |
6544 | addRRSIG(keys, res->d_records, auth, 300); | |
6545 | } | |
6546 | return 1; | |
6547 | } | |
6548 | else if (type == QType::DNSKEY) { | |
6549 | setLWResult(res, 0, true, false, true); | |
6550 | addDNSKEY(keys, domain, 300, res->d_records); | |
6551 | if (domain == DNSName("www.powerdns.com.")) { | |
6552 | addRRSIG(keys, res->d_records, DNSName("sub.www.powerdns.com."), 300); | |
6553 | } | |
6554 | else { | |
6555 | addRRSIG(keys, res->d_records, domain, 300); | |
6556 | } | |
6557 | return 1; | |
6558 | } | |
6559 | else { | |
6560 | if (isRootServer(ip)) { | |
6561 | setLWResult(res, 0, false, false, true); | |
6562 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6563 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6564 | addDS(DNSName("com."), 300, res->d_records, keys); | |
6565 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
6566 | return 1; | |
6567 | } | |
6568 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
6569 | if (domain == DNSName("com.")) { | |
6570 | setLWResult(res, 0, true, false, true); | |
6571 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
6572 | addRRSIG(keys, res->d_records, domain, 300); | |
6573 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6574 | addRRSIG(keys, res->d_records, domain, 300); | |
6575 | } | |
6576 | else { | |
6577 | setLWResult(res, 0, false, false, true); | |
6578 | addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6579 | addDS(DNSName("powerdns.com."), 300, res->d_records, keys); | |
6580 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
6581 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6582 | } | |
6583 | return 1; | |
6584 | } | |
6585 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
6586 | if (type == QType::NS) { | |
6587 | setLWResult(res, 0, true, false, true); | |
6588 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
6589 | addRRSIG(keys, res->d_records, domain, 300); | |
6590 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6591 | addRRSIG(keys, res->d_records, domain, 300); | |
6592 | } | |
6593 | else { | |
6594 | setLWResult(res, 0, true, false, true); | |
6595 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
6596 | addRRSIG(keys, res->d_records, domain, 300); | |
6597 | } | |
6598 | ||
6599 | return 1; | |
6600 | } | |
6601 | } | |
6602 | ||
f715542c RG |
6603 | return 0; |
6604 | }); | |
6605 | ||
6606 | vector<DNSRecord> ret; | |
6607 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6608 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6609 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
6610 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
3cef03e9 | 6611 | BOOST_CHECK_EQUAL(queriesCount, 9); |
f715542c RG |
6612 | |
6613 | /* again, to test the cache */ | |
6614 | ret.clear(); | |
6615 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6616 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6617 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
6618 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
3cef03e9 | 6619 | BOOST_CHECK_EQUAL(queriesCount, 9); |
f715542c RG |
6620 | } |
6621 | ||
a53e8fe3 RG |
6622 | BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_insecure) { |
6623 | std::unique_ptr<SyncRes> sr; | |
f24465e5 | 6624 | initSR(sr, true); |
a53e8fe3 | 6625 | |
0c43f455 | 6626 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
a53e8fe3 RG |
6627 | |
6628 | primeHints(); | |
6629 | const DNSName target("www.powerdns.com."); | |
6630 | testkeysset_t keys; | |
6631 | ||
6632 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
6633 | luaconfsCopy.dsAnchors.clear(); | |
6634 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
6635 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6636 | ||
6637 | g_luaconfs.setState(luaconfsCopy); | |
6638 | ||
6639 | size_t queriesCount = 0; | |
6640 | size_t dsQueriesCount = 0; | |
6641 | ||
0bd2e252 | 6642 | sr->setAsyncCallback([target,&queriesCount,&dsQueriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
a53e8fe3 RG |
6643 | queriesCount++; |
6644 | ||
6645 | if (type == QType::DS) { | |
6646 | DNSName auth(domain); | |
6647 | auth.chopOff(); | |
6648 | dsQueriesCount++; | |
6649 | ||
6650 | setLWResult(res, 0, true, false, true); | |
6651 | if (domain == DNSName("com.")) { | |
6652 | addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER); | |
6653 | } | |
6654 | else { | |
f24465e5 RG |
6655 | addRecordToLW(res, "com.", QType::SOA, "a.gtld-servers.com. hostmastercom. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
6656 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
a53e8fe3 RG |
6657 | addNSECRecordToLW(domain, DNSName("powerdnt.com."), { QType::NS }, 600, res->d_records); |
6658 | } | |
6659 | addRRSIG(keys, res->d_records, auth, 300); | |
6660 | return 1; | |
6661 | } | |
6662 | else if (type == QType::DNSKEY) { | |
6663 | setLWResult(res, 0, true, false, true); | |
6664 | addDNSKEY(keys, domain, 300, res->d_records); | |
6665 | addRRSIG(keys, res->d_records, domain, 300); | |
6666 | return 1; | |
6667 | } | |
a69867f2 | 6668 | else { |
a53e8fe3 RG |
6669 | if (isRootServer(ip)) { |
6670 | setLWResult(res, 0, false, false, true); | |
6671 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6672 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6673 | /* No DS on referral, and no denial of the DS either */ | |
6674 | return 1; | |
6675 | } | |
6676 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
a69867f2 RG |
6677 | if (domain == DNSName("com.")) { |
6678 | setLWResult(res, 0, true, false, true); | |
6679 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
f24465e5 | 6680 | addRRSIG(keys, res->d_records, domain, 300); |
a69867f2 | 6681 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); |
f24465e5 | 6682 | addRRSIG(keys, res->d_records, domain, 300); |
a69867f2 RG |
6683 | } |
6684 | else { | |
6685 | setLWResult(res, 0, false, false, true); | |
6686 | addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6687 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6688 | /* No DS on referral, and no denial of the DS either */ | |
6689 | } | |
a53e8fe3 RG |
6690 | return 1; |
6691 | } | |
6692 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
6693 | setLWResult(res, 0, true, false, true); | |
f24465e5 RG |
6694 | if (type == QType::NS) { |
6695 | if (domain == DNSName("powerdns.com.")) { | |
6696 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
6697 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6698 | } | |
6699 | else { | |
6700 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
6701 | } | |
6702 | } | |
6703 | else { | |
6704 | addRecordToLW(res, domain, QType::A, "192.0.2.42"); | |
6705 | } | |
a53e8fe3 RG |
6706 | return 1; |
6707 | } | |
6708 | } | |
6709 | ||
6710 | return 0; | |
6711 | }); | |
6712 | ||
6713 | vector<DNSRecord> ret; | |
6714 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6715 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6716 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
6717 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
5374b03b | 6718 | BOOST_CHECK_EQUAL(queriesCount, 7); |
a53e8fe3 RG |
6719 | BOOST_CHECK_EQUAL(dsQueriesCount, 2); |
6720 | ||
6721 | /* again, to test the cache */ | |
6722 | ret.clear(); | |
6723 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6724 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6725 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
6726 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
5374b03b | 6727 | BOOST_CHECK_EQUAL(queriesCount, 7); |
a53e8fe3 RG |
6728 | BOOST_CHECK_EQUAL(dsQueriesCount, 2); |
6729 | } | |
6730 | ||
e59c8907 | 6731 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_unsigned_nsec) { |
b7f378d1 | 6732 | std::unique_ptr<SyncRes> sr; |
895449a5 | 6733 | initSR(sr, true); |
b7f378d1 | 6734 | |
0c43f455 | 6735 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
b7f378d1 RG |
6736 | |
6737 | primeHints(); | |
6738 | const DNSName target("powerdns.com."); | |
6739 | testkeysset_t keys; | |
6740 | ||
6741 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
6742 | luaconfsCopy.dsAnchors.clear(); | |
6743 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
6744 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6745 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6746 | ||
6747 | g_luaconfs.setState(luaconfsCopy); | |
6748 | ||
6749 | size_t queriesCount = 0; | |
6750 | ||
0bd2e252 | 6751 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
b7f378d1 RG |
6752 | queriesCount++; |
6753 | ||
5374b03b RG |
6754 | if (type == QType::DS || type == QType::DNSKEY) { |
6755 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
b7f378d1 | 6756 | } |
a69867f2 | 6757 | else { |
b7f378d1 RG |
6758 | if (isRootServer(ip)) { |
6759 | setLWResult(res, 0, false, false, true); | |
6760 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6761 | addDS(DNSName("com."), 300, res->d_records, keys); | |
6762 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
6763 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6764 | return 1; | |
6765 | } | |
6766 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
a69867f2 RG |
6767 | if (domain == DNSName("com.")) { |
6768 | setLWResult(res, 0, true, false, true); | |
6769 | addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com."); | |
6770 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
6771 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6772 | } | |
6773 | else { | |
6774 | setLWResult(res, 0, false, false, true); | |
6775 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6776 | addDS(domain, 300, res->d_records, keys); | |
6777 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
6778 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6779 | } | |
b7f378d1 RG |
6780 | return 1; |
6781 | } | |
6782 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
6783 | setLWResult(res, 0, true, false, true); | |
a69867f2 RG |
6784 | if (type == QType::NS) { |
6785 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
6786 | addRRSIG(keys, res->d_records, domain, 300); | |
6787 | } | |
6788 | else { | |
6789 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
6790 | addRRSIG(keys, res->d_records, domain, 300); | |
6791 | addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS, QType::DNSKEY }, 600, res->d_records); | |
6792 | /* NO RRSIG for the NSEC record! */ | |
6793 | } | |
b7f378d1 RG |
6794 | return 1; |
6795 | } | |
6796 | } | |
6797 | ||
6798 | return 0; | |
6799 | }); | |
6800 | ||
6801 | /* NSEC record without the corresponding RRSIG in a secure zone, should be Bogus! */ | |
6802 | vector<DNSRecord> ret; | |
6803 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6804 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6805 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
6806 | BOOST_CHECK_EQUAL(ret.size(), 3); | |
a69867f2 | 6807 | BOOST_CHECK_EQUAL(queriesCount, 8); |
b7f378d1 RG |
6808 | |
6809 | /* again, to test the cache */ | |
6810 | ret.clear(); | |
6811 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6812 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6813 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
6814 | BOOST_REQUIRE_EQUAL(ret.size(), 3); | |
a69867f2 | 6815 | BOOST_CHECK_EQUAL(queriesCount, 8); |
b7f378d1 RG |
6816 | } |
6817 | ||
e59c8907 | 6818 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_no_nsec) { |
b7f378d1 | 6819 | std::unique_ptr<SyncRes> sr; |
895449a5 | 6820 | initSR(sr, true); |
b7f378d1 | 6821 | |
0c43f455 | 6822 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
b7f378d1 RG |
6823 | |
6824 | primeHints(); | |
6825 | const DNSName target("powerdns.com."); | |
6826 | testkeysset_t keys; | |
6827 | ||
6828 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
6829 | luaconfsCopy.dsAnchors.clear(); | |
6830 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
6831 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6832 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6833 | ||
6834 | g_luaconfs.setState(luaconfsCopy); | |
6835 | ||
6836 | size_t queriesCount = 0; | |
6837 | ||
0bd2e252 | 6838 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
b7f378d1 RG |
6839 | queriesCount++; |
6840 | ||
5374b03b RG |
6841 | if (type == QType::DS || type == QType::DNSKEY) { |
6842 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
b7f378d1 | 6843 | } |
a69867f2 | 6844 | else { |
b7f378d1 RG |
6845 | if (isRootServer(ip)) { |
6846 | setLWResult(res, 0, false, false, true); | |
6847 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6848 | addDS(DNSName("com."), 300, res->d_records, keys); | |
6849 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
6850 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6851 | return 1; | |
6852 | } | |
6853 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
a69867f2 RG |
6854 | if (domain == DNSName("com.")) { |
6855 | setLWResult(res, 0, true, false, true); | |
6856 | addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com."); | |
6857 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
6858 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6859 | } | |
6860 | else { | |
6861 | setLWResult(res, 0, false, false, true); | |
6862 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6863 | addDS(domain, 300, res->d_records, keys); | |
6864 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
6865 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6866 | } | |
b7f378d1 RG |
6867 | return 1; |
6868 | } | |
6869 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
6870 | setLWResult(res, 0, true, false, true); | |
a69867f2 RG |
6871 | if (type == QType::NS) { |
6872 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
6873 | addRRSIG(keys, res->d_records, domain, 300); | |
6874 | } | |
6875 | else { | |
6876 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
6877 | addRRSIG(keys, res->d_records, domain, 300); | |
b7f378d1 | 6878 | |
a69867f2 RG |
6879 | /* NO NSEC record! */ |
6880 | } | |
b7f378d1 RG |
6881 | return 1; |
6882 | } | |
6883 | } | |
6884 | ||
6885 | return 0; | |
6886 | }); | |
6887 | ||
6888 | /* no NSEC record in a secure zone, should be Bogus! */ | |
6889 | vector<DNSRecord> ret; | |
6890 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6891 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6892 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
6893 | BOOST_CHECK_EQUAL(ret.size(), 2); | |
a69867f2 | 6894 | BOOST_CHECK_EQUAL(queriesCount, 8); |
b7f378d1 RG |
6895 | |
6896 | /* again, to test the cache */ | |
6897 | ret.clear(); | |
6898 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6899 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6900 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
6901 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
a69867f2 | 6902 | BOOST_CHECK_EQUAL(queriesCount, 8); |
b7f378d1 RG |
6903 | } |
6904 | ||
6905 | BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure) { | |
6906 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 6907 | initSR(sr, true); |
b7f378d1 | 6908 | |
0c43f455 | 6909 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
b7f378d1 RG |
6910 | |
6911 | primeHints(); | |
6912 | const DNSName target("powerdns.com."); | |
6913 | const ComboAddress targetAddr("192.0.2.42"); | |
6914 | testkeysset_t keys; | |
6915 | ||
6916 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
6917 | luaconfsCopy.dsAnchors.clear(); | |
6918 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
6919 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
6920 | ||
6921 | g_luaconfs.setState(luaconfsCopy); | |
6922 | ||
6923 | size_t queriesCount = 0; | |
6924 | ||
0bd2e252 | 6925 | sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
b7f378d1 RG |
6926 | queriesCount++; |
6927 | ||
6928 | if (type == QType::DS) { | |
a53e8fe3 | 6929 | if (domain == target) { |
5e543cab | 6930 | setLWResult(res, 0, true, false, true); |
895449a5 | 6931 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
5e543cab | 6932 | addRRSIG(keys, res->d_records, DNSName("com."), 300); |
b7f378d1 RG |
6933 | addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records); |
6934 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
6935 | return 1; | |
5374b03b RG |
6936 | } else { |
6937 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
b7f378d1 RG |
6938 | } |
6939 | } | |
6940 | else if (type == QType::DNSKEY) { | |
6941 | if (domain == g_rootdnsname || domain == DNSName("com.")) { | |
6942 | setLWResult(res, 0, true, false, true); | |
6943 | addDNSKEY(keys, domain, 300, res->d_records); | |
6944 | addRRSIG(keys, res->d_records, domain, 300); | |
6945 | return 1; | |
6946 | } | |
6947 | else { | |
5e543cab | 6948 | setLWResult(res, 0, true, false, true); |
895449a5 | 6949 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
b7f378d1 RG |
6950 | return 1; |
6951 | } | |
6952 | } | |
a69867f2 | 6953 | else { |
b7f378d1 RG |
6954 | if (isRootServer(ip)) { |
6955 | setLWResult(res, 0, false, false, true); | |
6956 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6957 | addDS(DNSName("com."), 300, res->d_records, keys); | |
6958 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
6959 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6960 | return 1; | |
6961 | } | |
6962 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
a69867f2 RG |
6963 | if (domain == DNSName("com.")) { |
6964 | setLWResult(res, 0, true, false, true); | |
6965 | addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com."); | |
6966 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
6967 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
6968 | } | |
6969 | else { | |
6970 | setLWResult(res, 0, false, false, true); | |
6971 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
6972 | /* no DS */ | |
6973 | addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records); | |
6974 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
6975 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
6976 | } | |
b7f378d1 RG |
6977 | return 1; |
6978 | } | |
6979 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
6980 | setLWResult(res, 0, true, false, true); | |
a69867f2 RG |
6981 | if (type == QType::NS) { |
6982 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
6983 | } | |
6984 | else { | |
6985 | addRecordToLW(res, domain, QType::A, targetAddr.toString()); | |
6986 | } | |
b7f378d1 RG |
6987 | return 1; |
6988 | } | |
6989 | } | |
6990 | ||
6991 | return 0; | |
6992 | }); | |
6993 | ||
6994 | vector<DNSRecord> ret; | |
6995 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
6996 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
6997 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
6998 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
6999 | BOOST_CHECK(ret[0].d_type == QType::A); | |
a69867f2 RG |
7000 | /* 4 NS: com at ., com at com, powerdns.com at com, powerdns.com at powerdns.com |
7001 | 4 DNSKEY: ., com (not for powerdns.com because DS denial in referral) | |
7002 | 1 query for A */ | |
7003 | BOOST_CHECK_EQUAL(queriesCount, 7); | |
b7f378d1 RG |
7004 | |
7005 | /* again, to test the cache */ | |
7006 | ret.clear(); | |
7007 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7008 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7009 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
7010 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
7011 | BOOST_CHECK(ret[0].d_type == QType::A); | |
a69867f2 | 7012 | BOOST_CHECK_EQUAL(queriesCount, 7); |
b7f378d1 RG |
7013 | } |
7014 | ||
3cef03e9 RG |
7015 | |
7016 | BOOST_AUTO_TEST_CASE(test_dnssec_secure_direct_ds) { | |
7017 | /* | |
7018 | Direct DS query: | |
7019 | - parent is secure, zone is secure: DS should be secure | |
7020 | */ | |
7021 | std::unique_ptr<SyncRes> sr; | |
7022 | initSR(sr, true); | |
7023 | ||
7024 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
7025 | ||
7026 | primeHints(); | |
7027 | const DNSName target("powerdns.com."); | |
7028 | testkeysset_t keys; | |
7029 | ||
7030 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
7031 | luaconfsCopy.dsAnchors.clear(); | |
7032 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
7033 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7034 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7035 | ||
7036 | g_luaconfs.setState(luaconfsCopy); | |
7037 | ||
7038 | size_t queriesCount = 0; | |
7039 | ||
0bd2e252 | 7040 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3cef03e9 RG |
7041 | queriesCount++; |
7042 | ||
7043 | if (type == QType::DS || type == QType::DNSKEY) { | |
7044 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
7045 | } | |
7046 | else { | |
7047 | if (isRootServer(ip)) { | |
7048 | setLWResult(res, 0, false, false, true); | |
7049 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7050 | addDS(DNSName("com."), 300, res->d_records, keys); | |
7051 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
7052 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7053 | return 1; | |
7054 | } | |
7055 | } | |
7056 | ||
7057 | return 0; | |
7058 | }); | |
7059 | ||
7060 | vector<DNSRecord> ret; | |
7061 | int res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret); | |
7062 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7063 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
7064 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
7065 | for (const auto& record : ret) { | |
7066 | BOOST_CHECK(record.d_type == QType::DS || record.d_type == QType::RRSIG); | |
7067 | } | |
7068 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
7069 | ||
7070 | /* again, to test the cache */ | |
7071 | ret.clear(); | |
7072 | res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret); | |
7073 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7074 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
7075 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
7076 | for (const auto& record : ret) { | |
7077 | BOOST_CHECK(record.d_type == QType::DS || record.d_type == QType::RRSIG); | |
7078 | } | |
7079 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
7080 | } | |
7081 | ||
7082 | BOOST_AUTO_TEST_CASE(test_dnssec_insecure_direct_ds) { | |
7083 | /* | |
7084 | Direct DS query: | |
7085 | - parent is secure, zone is insecure: DS denial should be secure | |
7086 | */ | |
7087 | std::unique_ptr<SyncRes> sr; | |
7088 | initSR(sr, true); | |
7089 | ||
7090 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
7091 | ||
7092 | primeHints(); | |
7093 | const DNSName target("powerdns.com."); | |
7094 | testkeysset_t keys; | |
7095 | ||
7096 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
7097 | luaconfsCopy.dsAnchors.clear(); | |
7098 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
7099 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7100 | ||
7101 | g_luaconfs.setState(luaconfsCopy); | |
7102 | ||
7103 | size_t queriesCount = 0; | |
7104 | ||
0bd2e252 | 7105 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3cef03e9 RG |
7106 | queriesCount++; |
7107 | ||
7108 | if (type == QType::DS || type == QType::DNSKEY) { | |
7109 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
7110 | } | |
7111 | else { | |
7112 | if (isRootServer(ip)) { | |
7113 | setLWResult(res, 0, false, false, true); | |
7114 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7115 | addDS(DNSName("com."), 300, res->d_records, keys); | |
7116 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
7117 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7118 | return 1; | |
7119 | } | |
7120 | } | |
7121 | ||
7122 | return 0; | |
7123 | }); | |
7124 | ||
7125 | vector<DNSRecord> ret; | |
7126 | int res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret); | |
7127 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7128 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
7129 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
7130 | for (const auto& record : ret) { | |
7131 | BOOST_CHECK(record.d_type == QType::SOA || record.d_type == QType::NSEC || record.d_type == QType::RRSIG); | |
7132 | } | |
7133 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
7134 | ||
7135 | /* again, to test the cache */ | |
7136 | ret.clear(); | |
7137 | res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret); | |
7138 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7139 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
7140 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
7141 | for (const auto& record : ret) { | |
7142 | BOOST_CHECK(record.d_type == QType::SOA || record.d_type == QType::NSEC || record.d_type == QType::RRSIG); | |
7143 | } | |
7144 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
7145 | } | |
7146 | ||
70b3fe7a RG |
7147 | BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_skipped_cut) { |
7148 | std::unique_ptr<SyncRes> sr; | |
a69867f2 | 7149 | initSR(sr, true); |
70b3fe7a | 7150 | |
0c43f455 | 7151 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
70b3fe7a RG |
7152 | |
7153 | primeHints(); | |
7154 | const DNSName target("www.sub.powerdns.com."); | |
7155 | const ComboAddress targetAddr("192.0.2.42"); | |
7156 | testkeysset_t keys; | |
7157 | ||
7158 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
7159 | luaconfsCopy.dsAnchors.clear(); | |
7160 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
7161 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7162 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7163 | ||
7164 | g_luaconfs.setState(luaconfsCopy); | |
7165 | ||
7166 | size_t queriesCount = 0; | |
7167 | ||
0bd2e252 | 7168 | sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
70b3fe7a RG |
7169 | queriesCount++; |
7170 | ||
7171 | if (type == QType::DS) { | |
7172 | if (domain == DNSName("sub.powerdns.com.")) { | |
5e543cab | 7173 | setLWResult(res, 0, true, false, true); |
70b3fe7a RG |
7174 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
7175 | addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); | |
7176 | addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records); | |
7177 | addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); | |
7178 | return 1; | |
7179 | } | |
7180 | else if (domain == DNSName("www.sub.powerdns.com.")) { | |
5e543cab | 7181 | setLWResult(res, 0, true, false, true); |
70b3fe7a RG |
7182 | addRecordToLW(res, DNSName("sub.powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
7183 | return 1; | |
7184 | } | |
5374b03b RG |
7185 | else { |
7186 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
7187 | } | |
70b3fe7a RG |
7188 | } |
7189 | else if (type == QType::DNSKEY) { | |
a69867f2 | 7190 | if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) { |
70b3fe7a RG |
7191 | setLWResult(res, 0, true, false, true); |
7192 | addDNSKEY(keys, domain, 300, res->d_records); | |
7193 | addRRSIG(keys, res->d_records, domain, 300); | |
7194 | return 1; | |
7195 | } | |
7196 | else { | |
5e543cab | 7197 | setLWResult(res, 0, true, false, true); |
70b3fe7a RG |
7198 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
7199 | return 1; | |
7200 | } | |
7201 | } | |
88cb0fe0 | 7202 | else { |
70b3fe7a RG |
7203 | if (isRootServer(ip)) { |
7204 | setLWResult(res, 0, false, false, true); | |
7205 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7206 | addDS(DNSName("com."), 300, res->d_records, keys); | |
7207 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
7208 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7209 | return 1; | |
7210 | } | |
7211 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
a69867f2 RG |
7212 | if (domain == DNSName("com.")) { |
7213 | setLWResult(res, 0, true, false, true); | |
7214 | addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com."); | |
7215 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7216 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7217 | } | |
7218 | else { | |
7219 | setLWResult(res, 0, false, false, true); | |
7220 | addRecordToLW(res, DNSName("powerdns.com."), QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7221 | addDS(DNSName("powerdns.com."), 300, res->d_records, keys); | |
7222 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7223 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
7224 | } | |
70b3fe7a RG |
7225 | return 1; |
7226 | } | |
7227 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
7228 | setLWResult(res, 0, true, false, true); | |
a69867f2 RG |
7229 | if (type == QType::NS) { |
7230 | if (domain == DNSName("www.sub.powerdns.com.")) { | |
7231 | addRecordToLW(res, DNSName("sub.powerdns.com"), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
7232 | } | |
7233 | else if (domain == DNSName("sub.powerdns.com.")) { | |
7234 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
a69867f2 RG |
7235 | } |
7236 | else if (domain == DNSName("powerdns.com.")) { | |
7237 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
7238 | addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); | |
7239 | } | |
7240 | } else { | |
7241 | addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); | |
7242 | } | |
70b3fe7a RG |
7243 | return 1; |
7244 | } | |
7245 | } | |
7246 | ||
7247 | return 0; | |
7248 | }); | |
7249 | ||
7250 | vector<DNSRecord> ret; | |
7251 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7252 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7253 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
7254 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
7255 | BOOST_CHECK(ret[0].d_type == QType::A); | |
5374b03b | 7256 | BOOST_CHECK_EQUAL(queriesCount, 9); |
70b3fe7a RG |
7257 | |
7258 | /* again, to test the cache */ | |
7259 | ret.clear(); | |
7260 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7261 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7262 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
7263 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
7264 | BOOST_CHECK(ret[0].d_type == QType::A); | |
5374b03b | 7265 | BOOST_CHECK_EQUAL(queriesCount, 9); |
70b3fe7a RG |
7266 | } |
7267 | ||
7268 | BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_ta_skipped_cut) { | |
7269 | std::unique_ptr<SyncRes> sr; | |
a69867f2 | 7270 | initSR(sr, true); |
70b3fe7a | 7271 | |
0c43f455 | 7272 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
70b3fe7a RG |
7273 | |
7274 | primeHints(); | |
7275 | const DNSName target("www.sub.powerdns.com."); | |
7276 | const ComboAddress targetAddr("192.0.2.42"); | |
7277 | testkeysset_t keys; | |
7278 | ||
7279 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
7280 | luaconfsCopy.dsAnchors.clear(); | |
7281 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
7282 | /* No key material for .com */ | |
7283 | /* But TA for sub.powerdns.com. */ | |
7284 | generateKeyMaterial(DNSName("sub.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7285 | luaconfsCopy.dsAnchors[DNSName("sub.powerdns.com.")].insert(keys[DNSName("sub.powerdns.com.")].second); | |
7286 | g_luaconfs.setState(luaconfsCopy); | |
7287 | ||
7288 | size_t queriesCount = 0; | |
7289 | ||
0bd2e252 | 7290 | sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
70b3fe7a RG |
7291 | queriesCount++; |
7292 | ||
7293 | if (type == QType::DS) { | |
88cb0fe0 | 7294 | if (domain == DNSName("www.sub.powerdns.com")) { |
5e543cab | 7295 | setLWResult(res, 0, true, false, true); |
88cb0fe0 RG |
7296 | addRecordToLW(res, DNSName("sub.powerdns.com"), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
7297 | addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300); | |
7298 | addNSECRecordToLW(DNSName("www.sub.powerdns.com"), DNSName("vww.sub.powerdns.com."), { QType::A }, 600, res->d_records); | |
7299 | addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300); | |
7300 | } | |
7301 | else { | |
5e543cab | 7302 | setLWResult(res, 0, true, false, true); |
5374b03b RG |
7303 | |
7304 | if (domain == DNSName("com.")) { | |
7305 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
7306 | /* no DS */ | |
7307 | addNSECRecordToLW(DNSName("com."), DNSName("dom."), { QType::NS }, 600, res->d_records); | |
7308 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
7309 | } | |
7310 | else { | |
5e543cab | 7311 | setLWResult(res, 0, true, false, true); |
5374b03b RG |
7312 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
7313 | } | |
88cb0fe0 | 7314 | } |
70b3fe7a RG |
7315 | return 1; |
7316 | } | |
7317 | else if (type == QType::DNSKEY) { | |
7318 | if (domain == g_rootdnsname || domain == DNSName("sub.powerdns.com.")) { | |
7319 | setLWResult(res, 0, true, false, true); | |
7320 | addDNSKEY(keys, domain, 300, res->d_records); | |
7321 | addRRSIG(keys, res->d_records, domain, 300); | |
7322 | return 1; | |
7323 | } | |
7324 | } | |
88cb0fe0 | 7325 | else { |
70b3fe7a RG |
7326 | if (isRootServer(ip)) { |
7327 | setLWResult(res, 0, false, false, true); | |
7328 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7329 | /* no DS */ | |
7330 | addNSECRecordToLW(DNSName("com."), DNSName("dom."), { QType::NS }, 600, res->d_records); | |
7331 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
7332 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7333 | return 1; | |
7334 | } | |
7335 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
88cb0fe0 RG |
7336 | if (domain == DNSName("com.")) { |
7337 | setLWResult(res, 0, true, false, true); | |
7338 | addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com."); | |
7339 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7340 | } | |
5374b03b | 7341 | else if (domain.isPartOf(DNSName("powerdns.com."))) { |
88cb0fe0 RG |
7342 | setLWResult(res, 0, false, false, true); |
7343 | addRecordToLW(res, DNSName("powerdns.com."), QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7344 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
7345 | } | |
70b3fe7a RG |
7346 | return 1; |
7347 | } | |
7348 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
7349 | setLWResult(res, 0, true, false, true); | |
88cb0fe0 RG |
7350 | if (type == QType::NS) { |
7351 | if (domain == DNSName("www.sub.powerdns.com.")) { | |
7352 | addRecordToLW(res, DNSName("sub.powerdns.com"), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
7353 | addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300); | |
7354 | addNSECRecordToLW(DNSName("www.sub.powerdns.com"), DNSName("vww.sub.powerdns.com."), { QType::A }, 600, res->d_records); | |
7355 | addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300); | |
7356 | } | |
7357 | else if (domain == DNSName("sub.powerdns.com.")) { | |
7358 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
7359 | addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com."), 300); | |
7360 | } | |
7361 | else if (domain == DNSName("powerdns.com.")) { | |
7362 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
7363 | } | |
7364 | } | |
7365 | else if (domain == DNSName("www.sub.powerdns.com.")) { | |
7366 | addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); | |
7367 | addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com."), 300); | |
7368 | } | |
70b3fe7a RG |
7369 | return 1; |
7370 | } | |
7371 | } | |
7372 | ||
7373 | return 0; | |
7374 | }); | |
7375 | ||
7376 | vector<DNSRecord> ret; | |
7377 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7378 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7379 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
88cb0fe0 | 7380 | BOOST_REQUIRE_EQUAL(ret.size(), 2); |
70b3fe7a | 7381 | BOOST_CHECK(ret[0].d_type == QType::A); |
5e543cab | 7382 | BOOST_CHECK_EQUAL(queriesCount, 8); |
70b3fe7a RG |
7383 | |
7384 | /* again, to test the cache */ | |
7385 | ret.clear(); | |
7386 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7387 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7388 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
88cb0fe0 | 7389 | BOOST_REQUIRE_EQUAL(ret.size(), 2); |
70b3fe7a | 7390 | BOOST_CHECK(ret[0].d_type == QType::A); |
5e543cab | 7391 | BOOST_CHECK_EQUAL(queriesCount, 8); |
70b3fe7a RG |
7392 | } |
7393 | ||
b7f378d1 RG |
7394 | BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_nodata) { |
7395 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 7396 | initSR(sr, true); |
b7f378d1 | 7397 | |
0c43f455 | 7398 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
b7f378d1 RG |
7399 | |
7400 | primeHints(); | |
7401 | const DNSName target("powerdns.com."); | |
7402 | testkeysset_t keys; | |
7403 | ||
7404 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
7405 | luaconfsCopy.dsAnchors.clear(); | |
7406 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
7407 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7408 | ||
7409 | g_luaconfs.setState(luaconfsCopy); | |
7410 | ||
7411 | size_t queriesCount = 0; | |
7412 | ||
0bd2e252 | 7413 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
b7f378d1 RG |
7414 | queriesCount++; |
7415 | ||
7416 | if (type == QType::DS) { | |
a53e8fe3 | 7417 | if (domain == target) { |
5e543cab | 7418 | setLWResult(res, 0, true, false, true); |
895449a5 | 7419 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
5e543cab | 7420 | addRRSIG(keys, res->d_records, DNSName("com."), 300); |
b7f378d1 RG |
7421 | addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records); |
7422 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7423 | return 1; | |
7424 | } | |
5374b03b RG |
7425 | else { |
7426 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
7427 | } | |
b7f378d1 RG |
7428 | } |
7429 | else if (type == QType::DNSKEY) { | |
7430 | if (domain == g_rootdnsname || domain == DNSName("com.")) { | |
7431 | setLWResult(res, 0, true, false, true); | |
7432 | addDNSKEY(keys, domain, 300, res->d_records); | |
7433 | addRRSIG(keys, res->d_records, domain, 300); | |
7434 | return 1; | |
7435 | } | |
7436 | else { | |
5e543cab | 7437 | setLWResult(res, 0, true, false, true); |
895449a5 | 7438 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
b7f378d1 RG |
7439 | return 1; |
7440 | } | |
7441 | } | |
a69867f2 | 7442 | else { |
b7f378d1 RG |
7443 | if (isRootServer(ip)) { |
7444 | setLWResult(res, 0, false, false, true); | |
7445 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7446 | addDS(DNSName("com."), 300, res->d_records, keys); | |
7447 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
7448 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7449 | return 1; | |
7450 | } | |
7451 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
a69867f2 RG |
7452 | if (domain == DNSName("com.")) { |
7453 | setLWResult(res, 0, true, false, true); | |
7454 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
7455 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7456 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7457 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7458 | } | |
7459 | else { | |
7460 | setLWResult(res, 0, false, false, true); | |
7461 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7462 | /* no DS */ | |
7463 | addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records); | |
7464 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7465 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
7466 | } | |
b7f378d1 RG |
7467 | return 1; |
7468 | } | |
7469 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
a69867f2 RG |
7470 | if (type == QType::NS) { |
7471 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
7472 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
7473 | } | |
7474 | else { | |
7475 | setLWResult(res, 0, true, false, true); | |
7476 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
7477 | } | |
b7f378d1 RG |
7478 | return 1; |
7479 | } | |
7480 | } | |
7481 | ||
7482 | return 0; | |
7483 | }); | |
7484 | ||
7485 | vector<DNSRecord> ret; | |
7486 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7487 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7488 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
7489 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
a69867f2 RG |
7490 | /* 4 NS (com from root, com from com, powerdns.com from com, |
7491 | powerdns.com from powerdns.com) | |
7492 | 2 DNSKEY (. and com., none for powerdns.com because no DS) | |
7493 | 1 query for A | |
7494 | */ | |
7495 | BOOST_CHECK_EQUAL(queriesCount, 7); | |
b7f378d1 RG |
7496 | |
7497 | /* again, to test the cache */ | |
7498 | ret.clear(); | |
7499 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7500 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7501 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
7502 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
a69867f2 | 7503 | BOOST_CHECK_EQUAL(queriesCount, 7); |
b7f378d1 RG |
7504 | } |
7505 | ||
895449a5 | 7506 | BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname) { |
b7f378d1 | 7507 | std::unique_ptr<SyncRes> sr; |
860d5e8e | 7508 | initSR(sr, true); |
b7f378d1 | 7509 | |
0c43f455 | 7510 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
b7f378d1 | 7511 | |
895449a5 RG |
7512 | primeHints(); |
7513 | const DNSName target("powerdns.com."); | |
7514 | const DNSName targetCName("power-dns.com."); | |
7515 | const ComboAddress targetCNameAddr("192.0.2.42"); | |
7516 | testkeysset_t keys; | |
7517 | ||
7518 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
7519 | luaconfsCopy.dsAnchors.clear(); | |
7520 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
7521 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7522 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7523 | g_luaconfs.setState(luaconfsCopy); | |
7524 | ||
7525 | size_t queriesCount = 0; | |
7526 | ||
0bd2e252 | 7527 | sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
895449a5 RG |
7528 | queriesCount++; |
7529 | ||
7530 | if (type == QType::DS) { | |
5374b03b | 7531 | if (domain == targetCName) { |
5e543cab | 7532 | setLWResult(res, 0, true, false, true); |
895449a5 | 7533 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
5e543cab | 7534 | addRRSIG(keys, res->d_records, DNSName("com."), 300); |
895449a5 RG |
7535 | addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records); |
7536 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7537 | return 1; | |
7538 | } | |
5374b03b RG |
7539 | else { |
7540 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
7541 | } | |
895449a5 RG |
7542 | } |
7543 | else if (type == QType::DNSKEY) { | |
7544 | if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) { | |
7545 | setLWResult(res, 0, true, false, true); | |
7546 | addDNSKEY(keys, domain, 300, res->d_records); | |
7547 | addRRSIG(keys, res->d_records, domain, 300); | |
7548 | return 1; | |
7549 | } | |
7550 | else { | |
5e543cab | 7551 | setLWResult(res, 0, true, false, true); |
895449a5 RG |
7552 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
7553 | return 1; | |
7554 | } | |
7555 | } | |
7556 | else { | |
7557 | if (isRootServer(ip)) { | |
7558 | setLWResult(res, 0, false, false, true); | |
7559 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7560 | addDS(DNSName("com."), 300, res->d_records, keys); | |
7561 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
7562 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7563 | return 1; | |
7564 | } | |
7565 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
7566 | setLWResult(res, 0, false, false, true); | |
a69867f2 RG |
7567 | if (domain == DNSName("com.")) { |
7568 | setLWResult(res, 0, true, false, true); | |
7569 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
7570 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7571 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7572 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
895449a5 | 7573 | } |
a69867f2 RG |
7574 | else { |
7575 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7576 | if (domain == DNSName("powerdns.com.")) { | |
7577 | addDS(DNSName("powerdns.com."), 300, res->d_records, keys); | |
7578 | } | |
7579 | else if (domain == targetCName) { | |
7580 | addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records); | |
7581 | } | |
7582 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7583 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
895449a5 | 7584 | } |
a69867f2 | 7585 | |
895449a5 RG |
7586 | return 1; |
7587 | } | |
7588 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
7589 | setLWResult(res, 0, true, false, true); | |
a69867f2 RG |
7590 | |
7591 | if (type == QType::NS) { | |
7592 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
7593 | if (domain == DNSName("powerdns.com.")) { | |
7594 | addRRSIG(keys, res->d_records, domain, 300); | |
7595 | } | |
7596 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
7597 | if (domain == DNSName("powerdns.com.")) { | |
7598 | addRRSIG(keys, res->d_records, domain, 300); | |
7599 | } | |
895449a5 | 7600 | } |
a69867f2 RG |
7601 | else { |
7602 | if (domain == DNSName("powerdns.com.")) { | |
7603 | addRecordToLW(res, domain, QType::CNAME, targetCName.toString()); | |
7604 | addRRSIG(keys, res->d_records, domain, 300); | |
7605 | } | |
7606 | else if (domain == targetCName) { | |
7607 | addRecordToLW(res, domain, QType::A, targetCNameAddr.toString()); | |
7608 | } | |
895449a5 | 7609 | } |
a69867f2 | 7610 | |
895449a5 RG |
7611 | return 1; |
7612 | } | |
7613 | } | |
7614 | ||
7615 | return 0; | |
7616 | }); | |
7617 | ||
7618 | vector<DNSRecord> ret; | |
7619 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7620 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7621 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
7622 | BOOST_REQUIRE_EQUAL(ret.size(), 3); | |
a69867f2 | 7623 | BOOST_CHECK_EQUAL(queriesCount, 11); |
895449a5 RG |
7624 | |
7625 | /* again, to test the cache */ | |
7626 | ret.clear(); | |
7627 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7628 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7629 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
7630 | BOOST_REQUIRE_EQUAL(ret.size(), 3); | |
a69867f2 | 7631 | BOOST_CHECK_EQUAL(queriesCount, 11); |
895449a5 RG |
7632 | } |
7633 | ||
933299e8 RG |
7634 | BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname_glue) { |
7635 | std::unique_ptr<SyncRes> sr; | |
f100caac | 7636 | initSR(sr, true); |
933299e8 RG |
7637 | |
7638 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
7639 | ||
7640 | primeHints(); | |
7641 | const DNSName target("powerdns.com."); | |
7642 | const DNSName targetCName1("cname.sub.powerdns.com."); | |
7643 | const DNSName targetCName2("cname2.sub.powerdns.com."); | |
7644 | const ComboAddress targetCName2Addr("192.0.2.42"); | |
7645 | testkeysset_t keys; | |
7646 | ||
7647 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
7648 | luaconfsCopy.dsAnchors.clear(); | |
7649 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
7650 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7651 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7652 | g_luaconfs.setState(luaconfsCopy); | |
7653 | ||
7654 | size_t queriesCount = 0; | |
7655 | ||
0bd2e252 | 7656 | sr->setAsyncCallback([target,targetCName1,targetCName2,targetCName2Addr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
933299e8 RG |
7657 | queriesCount++; |
7658 | ||
7659 | if (type == QType::DS || type == QType::DNSKEY) { | |
7660 | if (domain == DNSName("sub.powerdns.com")) { | |
5e543cab | 7661 | setLWResult(res, 0, true, false, true); |
933299e8 | 7662 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
5e543cab | 7663 | addRRSIG(keys, res->d_records, DNSName("com."), 300); |
933299e8 RG |
7664 | addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records); |
7665 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7666 | return 1; | |
7667 | } | |
7668 | else { | |
7669 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
7670 | } | |
7671 | } | |
7672 | else { | |
7673 | if (isRootServer(ip)) { | |
7674 | setLWResult(res, 0, false, false, true); | |
7675 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7676 | addDS(DNSName("com."), 300, res->d_records, keys); | |
7677 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
7678 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7679 | return 1; | |
7680 | } | |
7681 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
7682 | setLWResult(res, 0, false, false, true); | |
7683 | if (domain == DNSName("com.")) { | |
7684 | setLWResult(res, 0, true, false, true); | |
7685 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
7686 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7687 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7688 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7689 | } | |
7690 | else { | |
7691 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7692 | if (domain == DNSName("powerdns.com.")) { | |
7693 | addDS(DNSName("powerdns.com."), 300, res->d_records, keys); | |
7694 | } | |
7695 | else if (domain == DNSName("sub.powerdns.com")) { | |
7696 | addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records); | |
7697 | } | |
7698 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7699 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
7700 | } | |
7701 | ||
7702 | return 1; | |
7703 | } | |
7704 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
7705 | setLWResult(res, 0, true, false, true); | |
7706 | ||
7707 | if (type == QType::NS) { | |
7708 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
7709 | if (domain == DNSName("powerdns.com.")) { | |
7710 | addRRSIG(keys, res->d_records, domain, 300); | |
7711 | } | |
7712 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
7713 | if (domain == DNSName("powerdns.com.")) { | |
7714 | addRRSIG(keys, res->d_records, domain, 300); | |
7715 | } | |
7716 | } | |
7717 | else { | |
7718 | if (domain == DNSName("powerdns.com.")) { | |
7719 | addRecordToLW(res, domain, QType::CNAME, targetCName1.toString()); | |
7720 | addRRSIG(keys, res->d_records, domain, 300); | |
7721 | /* add the CNAME target as a glue, with no RRSIG since the sub zone is insecure */ | |
7722 | addRecordToLW(res, targetCName1, QType::CNAME, targetCName2.toString()); | |
7723 | addRecordToLW(res, targetCName2, QType::A, targetCName2Addr.toString()); | |
7724 | } | |
7725 | else if (domain == targetCName1) { | |
7726 | addRecordToLW(res, domain, QType::CNAME, targetCName2.toString()); | |
7727 | } | |
7728 | else if (domain == targetCName2) { | |
7729 | addRecordToLW(res, domain, QType::A, targetCName2Addr.toString()); | |
7730 | } | |
7731 | } | |
7732 | ||
7733 | return 1; | |
7734 | } | |
7735 | } | |
7736 | ||
7737 | return 0; | |
7738 | }); | |
7739 | ||
7740 | vector<DNSRecord> ret; | |
7741 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7742 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7743 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
7744 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
7745 | BOOST_CHECK_EQUAL(queriesCount, 11); | |
7746 | ||
7747 | /* again, to test the cache */ | |
7748 | ret.clear(); | |
7749 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7750 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7751 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
7752 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
7753 | BOOST_CHECK_EQUAL(queriesCount, 11); | |
7754 | } | |
7755 | ||
3d5ebf10 RG |
7756 | BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_secure_cname) { |
7757 | std::unique_ptr<SyncRes> sr; | |
7758 | initSR(sr, true); | |
7759 | ||
0c43f455 | 7760 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
3d5ebf10 RG |
7761 | |
7762 | primeHints(); | |
7763 | const DNSName target("power-dns.com."); | |
7764 | const DNSName targetCName("powerdns.com."); | |
7765 | const ComboAddress targetCNameAddr("192.0.2.42"); | |
7766 | testkeysset_t keys; | |
7767 | ||
7768 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
7769 | luaconfsCopy.dsAnchors.clear(); | |
7770 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
7771 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7772 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7773 | g_luaconfs.setState(luaconfsCopy); | |
7774 | ||
7775 | size_t queriesCount = 0; | |
7776 | ||
0bd2e252 | 7777 | sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3d5ebf10 RG |
7778 | queriesCount++; |
7779 | ||
7780 | if (type == QType::DS) { | |
a53e8fe3 | 7781 | if (domain == DNSName("power-dns.com.")) { |
5e543cab | 7782 | setLWResult(res, 0, true, false, true); |
3d5ebf10 | 7783 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
5e543cab | 7784 | addRRSIG(keys, res->d_records, DNSName("com."), 300); |
3d5ebf10 RG |
7785 | addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records); |
7786 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7787 | return 1; | |
7788 | } | |
5374b03b RG |
7789 | else { |
7790 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
7791 | } | |
3d5ebf10 RG |
7792 | } |
7793 | else if (type == QType::DNSKEY) { | |
7794 | if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) { | |
7795 | setLWResult(res, 0, true, false, true); | |
7796 | addDNSKEY(keys, domain, 300, res->d_records); | |
7797 | addRRSIG(keys, res->d_records, domain, 300); | |
7798 | return 1; | |
7799 | } | |
7800 | else { | |
5e543cab | 7801 | setLWResult(res, 0, true, false, true); |
3d5ebf10 RG |
7802 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
7803 | return 1; | |
7804 | } | |
7805 | } | |
7806 | else { | |
7807 | if (isRootServer(ip)) { | |
7808 | setLWResult(res, 0, false, false, true); | |
7809 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7810 | addDS(DNSName("com."), 300, res->d_records, keys); | |
7811 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
7812 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7813 | return 1; | |
7814 | } | |
7815 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
a69867f2 RG |
7816 | if (domain == DNSName("com.")) { |
7817 | setLWResult(res, 0, true, false, true); | |
7818 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
7819 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7820 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7821 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
3d5ebf10 | 7822 | } |
a69867f2 RG |
7823 | else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) { |
7824 | setLWResult(res, 0, false, false, true); | |
7825 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7826 | if (domain == targetCName) { | |
7827 | addDS(DNSName("powerdns.com."), 300, res->d_records, keys); | |
7828 | } | |
7829 | else if (domain == target) { | |
7830 | addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records); | |
7831 | } | |
7832 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7833 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
3d5ebf10 | 7834 | } |
3d5ebf10 RG |
7835 | return 1; |
7836 | } | |
7837 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
7838 | setLWResult(res, 0, true, false, true); | |
a69867f2 RG |
7839 | if (type == QType::NS) { |
7840 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
7841 | if (domain == DNSName("powerdns.com.")) { | |
7842 | addRRSIG(keys, res->d_records, domain, 300); | |
7843 | } | |
7844 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
7845 | if (domain == DNSName("powerdns.com.")) { | |
7846 | addRRSIG(keys, res->d_records, domain, 300); | |
7847 | } | |
3d5ebf10 | 7848 | } |
a69867f2 RG |
7849 | else { |
7850 | if (domain == target) { | |
7851 | addRecordToLW(res, domain, QType::CNAME, targetCName.toString()); | |
7852 | } | |
7853 | else if (domain == targetCName) { | |
7854 | addRecordToLW(res, domain, QType::A, targetCNameAddr.toString()); | |
7855 | addRRSIG(keys, res->d_records, domain, 300); | |
7856 | } | |
3d5ebf10 RG |
7857 | } |
7858 | return 1; | |
7859 | } | |
7860 | } | |
7861 | ||
7862 | return 0; | |
7863 | }); | |
7864 | ||
7865 | vector<DNSRecord> ret; | |
7866 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7867 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7868 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
7869 | BOOST_REQUIRE_EQUAL(ret.size(), 3); | |
a69867f2 | 7870 | BOOST_CHECK_EQUAL(queriesCount, 11); |
3d5ebf10 RG |
7871 | |
7872 | /* again, to test the cache */ | |
7873 | ret.clear(); | |
7874 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7875 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7876 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
7877 | BOOST_REQUIRE_EQUAL(ret.size(), 3); | |
a69867f2 | 7878 | BOOST_CHECK_EQUAL(queriesCount, 11); |
3d5ebf10 RG |
7879 | } |
7880 | ||
7881 | BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_secure_cname) { | |
7882 | std::unique_ptr<SyncRes> sr; | |
7883 | initSR(sr, true); | |
7884 | ||
0c43f455 | 7885 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
3d5ebf10 RG |
7886 | |
7887 | primeHints(); | |
7888 | const DNSName target("power-dns.com."); | |
7889 | const DNSName targetCName("powerdns.com."); | |
7890 | const ComboAddress targetCNameAddr("192.0.2.42"); | |
7891 | testkeysset_t keys; | |
7892 | ||
7893 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
7894 | luaconfsCopy.dsAnchors.clear(); | |
7895 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
7896 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7897 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7898 | generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7899 | g_luaconfs.setState(luaconfsCopy); | |
7900 | ||
7901 | size_t queriesCount = 0; | |
7902 | ||
0bd2e252 | 7903 | sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3d5ebf10 RG |
7904 | queriesCount++; |
7905 | ||
5374b03b RG |
7906 | if (type == QType::DS || type == QType::DNSKEY) { |
7907 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
3d5ebf10 RG |
7908 | } |
7909 | else { | |
7910 | if (isRootServer(ip)) { | |
7911 | setLWResult(res, 0, false, false, true); | |
7912 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7913 | addDS(DNSName("com."), 300, res->d_records, keys); | |
7914 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
7915 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7916 | return 1; | |
7917 | } | |
7918 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
a69867f2 RG |
7919 | if (domain == DNSName("com.")) { |
7920 | setLWResult(res, 0, true, false, true); | |
7921 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
7922 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7923 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
7924 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7925 | } | |
7926 | else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) { | |
7927 | setLWResult(res, 0, false, false, true); | |
7928 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
7929 | addDS(DNSName(domain), 300, res->d_records, keys); | |
7930 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
7931 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
7932 | } | |
3d5ebf10 RG |
7933 | return 1; |
7934 | } | |
7935 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
7936 | setLWResult(res, 0, true, false, true); | |
a69867f2 RG |
7937 | if (type == QType::NS) { |
7938 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
7939 | addRRSIG(keys, res->d_records, domain, 300); | |
7940 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
3d5ebf10 RG |
7941 | addRRSIG(keys, res->d_records, domain, 300); |
7942 | } | |
a69867f2 RG |
7943 | else { |
7944 | if (domain == target) { | |
7945 | addRecordToLW(res, domain, QType::CNAME, targetCName.toString()); | |
7946 | /* No RRSIG, leading to bogus */ | |
7947 | } | |
7948 | else if (domain == targetCName) { | |
7949 | addRecordToLW(res, domain, QType::A, targetCNameAddr.toString()); | |
7950 | addRRSIG(keys, res->d_records, domain, 300); | |
7951 | } | |
7952 | } | |
3d5ebf10 RG |
7953 | return 1; |
7954 | } | |
7955 | } | |
7956 | ||
7957 | return 0; | |
7958 | }); | |
7959 | ||
7960 | vector<DNSRecord> ret; | |
7961 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7962 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7963 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
7964 | BOOST_REQUIRE_EQUAL(ret.size(), 3); | |
428f41b7 | 7965 | BOOST_CHECK_EQUAL(queriesCount, 11); |
3d5ebf10 RG |
7966 | |
7967 | /* again, to test the cache */ | |
7968 | ret.clear(); | |
7969 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
7970 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
7971 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
7972 | BOOST_REQUIRE_EQUAL(ret.size(), 3); | |
428f41b7 | 7973 | BOOST_CHECK_EQUAL(queriesCount, 11); |
3d5ebf10 RG |
7974 | } |
7975 | ||
7976 | BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_bogus_cname) { | |
7977 | std::unique_ptr<SyncRes> sr; | |
7978 | initSR(sr, true); | |
7979 | ||
0c43f455 | 7980 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
3d5ebf10 RG |
7981 | |
7982 | primeHints(); | |
7983 | const DNSName target("power-dns.com."); | |
7984 | const DNSName targetCName("powerdns.com."); | |
7985 | const ComboAddress targetCNameAddr("192.0.2.42"); | |
7986 | testkeysset_t keys; | |
7987 | ||
7988 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
7989 | luaconfsCopy.dsAnchors.clear(); | |
7990 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
7991 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7992 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7993 | generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
7994 | g_luaconfs.setState(luaconfsCopy); | |
7995 | ||
7996 | size_t queriesCount = 0; | |
7997 | ||
0bd2e252 | 7998 | sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3d5ebf10 RG |
7999 | queriesCount++; |
8000 | ||
5374b03b RG |
8001 | if (type == QType::DS || type == QType::DNSKEY) { |
8002 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
3d5ebf10 RG |
8003 | } |
8004 | else { | |
8005 | if (isRootServer(ip)) { | |
8006 | setLWResult(res, 0, false, false, true); | |
8007 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
8008 | addDS(DNSName("com."), 300, res->d_records, keys); | |
8009 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
8010 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
8011 | return 1; | |
8012 | } | |
8013 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
a69867f2 RG |
8014 | if (domain == DNSName("com.")) { |
8015 | setLWResult(res, 0, true, false, true); | |
8016 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
8017 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
8018 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
8019 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
8020 | } | |
8021 | else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) { | |
8022 | setLWResult(res, 0, false, false, true); | |
8023 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
8024 | addDS(DNSName(domain), 300, res->d_records, keys); | |
8025 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
8026 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
8027 | } | |
3d5ebf10 RG |
8028 | return 1; |
8029 | } | |
8030 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
8031 | setLWResult(res, 0, true, false, true); | |
a69867f2 RG |
8032 | if (type == QType::NS) { |
8033 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
8034 | addRRSIG(keys, res->d_records, domain, 300); | |
8035 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
3d5ebf10 RG |
8036 | addRRSIG(keys, res->d_records, domain, 300); |
8037 | } | |
a69867f2 RG |
8038 | else { |
8039 | if (domain == target) { | |
8040 | addRecordToLW(res, domain, QType::CNAME, targetCName.toString()); | |
8041 | addRRSIG(keys, res->d_records, domain, 300); | |
8042 | } | |
8043 | else if (domain == targetCName) { | |
8044 | addRecordToLW(res, domain, QType::A, targetCNameAddr.toString()); | |
8045 | /* No RRSIG, leading to bogus */ | |
8046 | } | |
3d5ebf10 RG |
8047 | } |
8048 | return 1; | |
8049 | } | |
8050 | } | |
8051 | ||
8052 | return 0; | |
8053 | }); | |
8054 | ||
8055 | vector<DNSRecord> ret; | |
8056 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
8057 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8058 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
8059 | BOOST_REQUIRE_EQUAL(ret.size(), 3); | |
428f41b7 | 8060 | BOOST_CHECK_EQUAL(queriesCount, 11); |
3d5ebf10 RG |
8061 | |
8062 | /* again, to test the cache */ | |
8063 | ret.clear(); | |
8064 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
8065 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8066 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
8067 | BOOST_REQUIRE_EQUAL(ret.size(), 3); | |
428f41b7 | 8068 | BOOST_CHECK_EQUAL(queriesCount, 11); |
3d5ebf10 RG |
8069 | } |
8070 | ||
8071 | BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_secure_cname) { | |
8072 | std::unique_ptr<SyncRes> sr; | |
8073 | initSR(sr, true); | |
8074 | ||
0c43f455 | 8075 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
3d5ebf10 RG |
8076 | |
8077 | primeHints(); | |
8078 | const DNSName target("power-dns.com."); | |
8079 | const DNSName targetCName("powerdns.com."); | |
8080 | const ComboAddress targetCNameAddr("192.0.2.42"); | |
8081 | testkeysset_t keys; | |
8082 | ||
8083 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
8084 | luaconfsCopy.dsAnchors.clear(); | |
8085 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
8086 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8087 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8088 | generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8089 | g_luaconfs.setState(luaconfsCopy); | |
8090 | ||
8091 | size_t queriesCount = 0; | |
8092 | ||
0bd2e252 | 8093 | sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3d5ebf10 RG |
8094 | queriesCount++; |
8095 | ||
5374b03b RG |
8096 | if (type == QType::DS || type == QType::DNSKEY) { |
8097 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
3d5ebf10 RG |
8098 | } |
8099 | else { | |
8100 | if (isRootServer(ip)) { | |
8101 | setLWResult(res, 0, false, false, true); | |
8102 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
8103 | addDS(DNSName("com."), 300, res->d_records, keys); | |
8104 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
8105 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
8106 | return 1; | |
8107 | } | |
8108 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
a69867f2 RG |
8109 | if (domain == DNSName("com.")) { |
8110 | setLWResult(res, 0, true, false, true); | |
8111 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
8112 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
8113 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
8114 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
8115 | } | |
8116 | else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) { | |
8117 | setLWResult(res, 0, false, false, true); | |
8118 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
8119 | addDS(DNSName(domain), 300, res->d_records, keys); | |
8120 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
8121 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
8122 | } | |
3d5ebf10 RG |
8123 | return 1; |
8124 | } | |
8125 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
8126 | setLWResult(res, 0, true, false, true); | |
a69867f2 RG |
8127 | if (type == QType::NS) { |
8128 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
3d5ebf10 | 8129 | addRRSIG(keys, res->d_records, domain, 300); |
a69867f2 | 8130 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); |
3d5ebf10 RG |
8131 | addRRSIG(keys, res->d_records, domain, 300); |
8132 | } | |
a69867f2 RG |
8133 | else { |
8134 | if (domain == target) { | |
8135 | addRecordToLW(res, domain, QType::CNAME, targetCName.toString()); | |
8136 | addRRSIG(keys, res->d_records, domain, 300); | |
8137 | } | |
8138 | else if (domain == targetCName) { | |
8139 | addRecordToLW(res, domain, QType::A, targetCNameAddr.toString()); | |
8140 | addRRSIG(keys, res->d_records, domain, 300); | |
8141 | } | |
8142 | } | |
3d5ebf10 RG |
8143 | return 1; |
8144 | } | |
8145 | } | |
8146 | ||
8147 | return 0; | |
8148 | }); | |
8149 | ||
8150 | vector<DNSRecord> ret; | |
8151 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
8152 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8153 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
8154 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
a69867f2 | 8155 | BOOST_CHECK_EQUAL(queriesCount, 12); |
3d5ebf10 RG |
8156 | |
8157 | /* again, to test the cache */ | |
8158 | ret.clear(); | |
8159 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
8160 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8161 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
8162 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
a69867f2 | 8163 | BOOST_CHECK_EQUAL(queriesCount, 12); |
3d5ebf10 RG |
8164 | } |
8165 | ||
8166 | BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_insecure_cname) { | |
8167 | std::unique_ptr<SyncRes> sr; | |
a69867f2 | 8168 | initSR(sr, true); |
3d5ebf10 | 8169 | |
0c43f455 | 8170 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
3d5ebf10 RG |
8171 | |
8172 | primeHints(); | |
8173 | const DNSName target("powerdns.com."); | |
8174 | const DNSName targetCName("power-dns.com."); | |
8175 | const ComboAddress targetCNameAddr("192.0.2.42"); | |
8176 | testkeysset_t keys; | |
8177 | ||
8178 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
8179 | luaconfsCopy.dsAnchors.clear(); | |
8180 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
8181 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8182 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8183 | generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8184 | g_luaconfs.setState(luaconfsCopy); | |
8185 | ||
8186 | size_t queriesCount = 0; | |
8187 | ||
0bd2e252 | 8188 | sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
3d5ebf10 RG |
8189 | queriesCount++; |
8190 | ||
8191 | if (type == QType::DS) { | |
a53e8fe3 | 8192 | if (domain == DNSName("power-dns.com.")) { |
5e543cab | 8193 | setLWResult(res, 0, true, false, true); |
3d5ebf10 | 8194 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
5e543cab | 8195 | addRRSIG(keys, res->d_records, DNSName("com."), 300); |
3d5ebf10 RG |
8196 | addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records); |
8197 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
8198 | return 1; | |
8199 | } | |
5374b03b RG |
8200 | else { |
8201 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
8202 | } | |
3d5ebf10 RG |
8203 | } |
8204 | else if (type == QType::DNSKEY) { | |
8205 | if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) { | |
8206 | setLWResult(res, 0, true, false, true); | |
8207 | addDNSKEY(keys, domain, 300, res->d_records); | |
8208 | addRRSIG(keys, res->d_records, domain, 300); | |
8209 | return 1; | |
8210 | } | |
8211 | else { | |
5e543cab | 8212 | setLWResult(res, 0, true, false, true); |
3d5ebf10 RG |
8213 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
8214 | return 1; | |
8215 | } | |
8216 | } | |
8217 | else { | |
8218 | if (isRootServer(ip)) { | |
8219 | setLWResult(res, 0, false, false, true); | |
8220 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
8221 | addDS(DNSName("com."), 300, res->d_records, keys); | |
8222 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
8223 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
8224 | return 1; | |
8225 | } | |
8226 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
88cb0fe0 RG |
8227 | if (domain == DNSName("com.")) { |
8228 | setLWResult(res, 0, true, false, true); | |
a69867f2 | 8229 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); |
88cb0fe0 RG |
8230 | addRRSIG(keys, res->d_records, DNSName("com."), 300); |
8231 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
8232 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
3d5ebf10 | 8233 | } |
88cb0fe0 RG |
8234 | else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) { |
8235 | setLWResult(res, 0, false, false, true); | |
8236 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
8237 | if (domain == DNSName("powerdns.com.")) { | |
8238 | addDS(DNSName("powerdns.com."), 300, res->d_records, keys); | |
8239 | } | |
8240 | else if (domain == targetCName) { | |
8241 | addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records); | |
8242 | } | |
8243 | addRRSIG(keys, res->d_records, DNSName("com."), 300); | |
8244 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
3d5ebf10 | 8245 | } |
3d5ebf10 RG |
8246 | return 1; |
8247 | } | |
8248 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
8249 | setLWResult(res, 0, true, false, true); | |
88cb0fe0 RG |
8250 | if (type == QType::NS) { |
8251 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
8252 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
3d5ebf10 | 8253 | } |
88cb0fe0 RG |
8254 | else { |
8255 | if (domain == DNSName("powerdns.com.")) { | |
8256 | addRecordToLW(res, domain, QType::CNAME, targetCName.toString()); | |
8257 | /* No RRSIG -> Bogus */ | |
8258 | } | |
8259 | else if (domain == targetCName) { | |
8260 | addRecordToLW(res, domain, QType::A, targetCNameAddr.toString()); | |
8261 | } | |
3d5ebf10 RG |
8262 | } |
8263 | return 1; | |
8264 | } | |
8265 | } | |
8266 | ||
8267 | return 0; | |
8268 | }); | |
8269 | ||
8270 | vector<DNSRecord> ret; | |
8271 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
8272 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8273 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
8274 | /* no RRSIG to show */ | |
8275 | BOOST_CHECK_EQUAL(ret.size(), 2); | |
a69867f2 | 8276 | BOOST_CHECK_EQUAL(queriesCount, 10); |
3d5ebf10 RG |
8277 | |
8278 | /* again, to test the cache */ | |
8279 | ret.clear(); | |
8280 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
8281 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8282 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
8283 | BOOST_CHECK_EQUAL(ret.size(), 2); | |
a69867f2 | 8284 | BOOST_CHECK_EQUAL(queriesCount, 10); |
3d5ebf10 RG |
8285 | } |
8286 | ||
895449a5 RG |
8287 | BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta) { |
8288 | std::unique_ptr<SyncRes> sr; | |
8289 | initSR(sr, true); | |
8290 | ||
0c43f455 | 8291 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
895449a5 RG |
8292 | |
8293 | primeHints(); | |
8294 | const DNSName target("powerdns.com."); | |
8295 | const ComboAddress targetAddr("192.0.2.42"); | |
8296 | testkeysset_t keys; | |
8297 | ||
8298 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
8299 | luaconfsCopy.dsAnchors.clear(); | |
8300 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
8301 | /* No key material for .com */ | |
8302 | generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8303 | luaconfsCopy.dsAnchors[target].insert(keys[target].second); | |
8304 | g_luaconfs.setState(luaconfsCopy); | |
8305 | ||
8306 | size_t queriesCount = 0; | |
8307 | ||
0bd2e252 | 8308 | sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
895449a5 RG |
8309 | queriesCount++; |
8310 | ||
a53e8fe3 | 8311 | if (type == QType::DNSKEY) { |
895449a5 RG |
8312 | if (domain == g_rootdnsname || domain == DNSName("powerdns.com.")) { |
8313 | setLWResult(res, 0, true, false, true); | |
8314 | addDNSKEY(keys, domain, 300, res->d_records); | |
8315 | addRRSIG(keys, res->d_records, domain, 300); | |
8316 | return 1; | |
8317 | } | |
8318 | else if (domain == DNSName("com.")) { | |
5e543cab | 8319 | setLWResult(res, 0, true, false, true); |
895449a5 RG |
8320 | addRecordToLW(res, domain, QType::SOA, ". yop. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
8321 | return 1; | |
8322 | } | |
8323 | } | |
88cb0fe0 | 8324 | else { |
895449a5 RG |
8325 | if (isRootServer(ip)) { |
8326 | setLWResult(res, 0, false, false, true); | |
8327 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
8328 | addNSECRecordToLW(DNSName("com."), DNSName("com."), { QType::NS }, 600, res->d_records); | |
8329 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
8330 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
8331 | return 1; | |
8332 | } | |
8333 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
88cb0fe0 RG |
8334 | if (target == domain) { |
8335 | setLWResult(res, 0, false, false, true); | |
8336 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
8337 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
8338 | } | |
8339 | else if (domain == DNSName("com.")) { | |
8340 | setLWResult(res, 0, true, false, true); | |
8341 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
8342 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
8343 | } | |
895449a5 RG |
8344 | return 1; |
8345 | } | |
8346 | else if (ip == ComboAddress("192.0.2.2:53")) { | |
8347 | setLWResult(res, 0, true, false, true); | |
88cb0fe0 RG |
8348 | if (type == QType::NS) { |
8349 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
8350 | } | |
8351 | else { | |
8352 | addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); | |
8353 | } | |
895449a5 RG |
8354 | addRRSIG(keys, res->d_records, domain, 300); |
8355 | return 1; | |
8356 | } | |
8357 | } | |
8358 | ||
8359 | return 0; | |
8360 | }); | |
8361 | ||
8362 | vector<DNSRecord> ret; | |
8363 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
8364 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8365 | /* should be insecure but we have a TA for powerdns.com. */ | |
8366 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
8367 | /* We got a RRSIG */ | |
8368 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
8369 | BOOST_CHECK(ret[0].d_type == QType::A); | |
5374b03b | 8370 | BOOST_CHECK_EQUAL(queriesCount, 5); |
895449a5 RG |
8371 | |
8372 | /* again, to test the cache */ | |
8373 | ret.clear(); | |
8374 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
8375 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8376 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
8377 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
8378 | BOOST_CHECK(ret[0].d_type == QType::A); | |
5374b03b | 8379 | BOOST_CHECK_EQUAL(queriesCount, 5); |
895449a5 RG |
8380 | } |
8381 | ||
8382 | BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta_norrsig) { | |
8383 | std::unique_ptr<SyncRes> sr; | |
8384 | initSR(sr, true); | |
8385 | ||
0c43f455 | 8386 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
895449a5 RG |
8387 | |
8388 | primeHints(); | |
8389 | const DNSName target("powerdns.com."); | |
8390 | const ComboAddress targetAddr("192.0.2.42"); | |
8391 | testkeysset_t keys; | |
8392 | ||
8393 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
8394 | luaconfsCopy.dsAnchors.clear(); | |
8395 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
8396 | /* No key material for .com */ | |
8397 | generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8398 | luaconfsCopy.dsAnchors[target].insert(keys[target].second); | |
8399 | g_luaconfs.setState(luaconfsCopy); | |
8400 | ||
8401 | size_t queriesCount = 0; | |
8402 | ||
0bd2e252 | 8403 | sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
895449a5 RG |
8404 | queriesCount++; |
8405 | ||
a53e8fe3 | 8406 | if (type == QType::DNSKEY) { |
895449a5 RG |
8407 | if (domain == g_rootdnsname || domain == DNSName("powerdns.com.")) { |
8408 | setLWResult(res, 0, true, false, true); | |
8409 | addDNSKEY(keys, domain, 300, res->d_records); | |
8410 | addRRSIG(keys, res->d_records, domain, 300); | |
8411 | return 1; | |
8412 | } | |
8413 | else if (domain == DNSName("com.")) { | |
5e543cab | 8414 | setLWResult(res, 0, true, false, true); |
895449a5 RG |
8415 | addRecordToLW(res, domain, QType::SOA, ". yop. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); |
8416 | return 1; | |
8417 | } | |
8418 | } | |
70b3fe7a RG |
8419 | else { |
8420 | if (target.isPartOf(domain) && isRootServer(ip)) { | |
895449a5 RG |
8421 | setLWResult(res, 0, false, false, true); |
8422 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); | |
8423 | addNSECRecordToLW(DNSName("com."), DNSName("com."), { QType::NS }, 600, res->d_records); | |
8424 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
8425 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
8426 | return 1; | |
8427 | } | |
8428 | else if (ip == ComboAddress("192.0.2.1:53")) { | |
70b3fe7a RG |
8429 | if (target == domain) { |
8430 | setLWResult(res, 0, false, false, true); | |
8431 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); | |
8432 | addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
8433 | } | |
8434 | else if (domain == DNSName("com.")) { | |
8435 | setLWResult(res, 0, true, false, true); | |
8436 | addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); | |
88cb0fe0 | 8437 | addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); |
70b3fe7a | 8438 | } |
895449a5 RG |
8439 | return 1; |
8440 | } | |
70b3fe7a | 8441 | else if (domain == target && ip == ComboAddress("192.0.2.2:53")) { |
895449a5 | 8442 | setLWResult(res, 0, true, false, true); |
70b3fe7a RG |
8443 | if (type == QType::NS) { |
8444 | addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); | |
8445 | } | |
8446 | else { | |
8447 | addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); | |
8448 | } | |
895449a5 RG |
8449 | /* No RRSIG in a now (thanks to TA) Secure zone -> Bogus*/ |
8450 | return 1; | |
8451 | } | |
8452 | } | |
8453 | ||
8454 | return 0; | |
8455 | }); | |
8456 | ||
8457 | vector<DNSRecord> ret; | |
8458 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
8459 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8460 | /* should be insecure but we have a TA for powerdns.com., but no RRSIG so Bogus */ | |
8461 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
8462 | /* No RRSIG */ | |
8463 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
8464 | BOOST_CHECK(ret[0].d_type == QType::A); | |
5374b03b | 8465 | BOOST_CHECK_EQUAL(queriesCount, 4); |
895449a5 RG |
8466 | |
8467 | /* again, to test the cache */ | |
8468 | ret.clear(); | |
8469 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
8470 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8471 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
8472 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
8473 | BOOST_CHECK(ret[0].d_type == QType::A); | |
5374b03b | 8474 | BOOST_CHECK_EQUAL(queriesCount, 4); |
895449a5 RG |
8475 | } |
8476 | ||
895449a5 RG |
8477 | BOOST_AUTO_TEST_CASE(test_dnssec_nta) { |
8478 | std::unique_ptr<SyncRes> sr; | |
8479 | initSR(sr, true); | |
8480 | ||
0c43f455 | 8481 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
895449a5 | 8482 | |
b7f378d1 RG |
8483 | primeHints(); |
8484 | const DNSName target("."); | |
8485 | testkeysset_t keys; | |
8486 | ||
8487 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
8488 | luaconfsCopy.dsAnchors.clear(); | |
8489 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
8490 | /* Add a NTA for "." */ | |
8491 | luaconfsCopy.negAnchors[g_rootdnsname] = "NTA for Root"; | |
8492 | g_luaconfs.setState(luaconfsCopy); | |
8493 | ||
8494 | size_t queriesCount = 0; | |
8495 | ||
0bd2e252 | 8496 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
b7f378d1 RG |
8497 | queriesCount++; |
8498 | ||
8499 | if (domain == target && type == QType::NS) { | |
8500 | ||
8501 | setLWResult(res, 0, true, false, true); | |
8502 | char addr[] = "a.root-servers.net."; | |
8503 | for (char idx = 'a'; idx <= 'm'; idx++) { | |
8504 | addr[0] = idx; | |
8455425c RG |
8505 | addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600); |
8506 | } | |
8507 | ||
8508 | addRRSIG(keys, res->d_records, domain, 300); | |
8509 | ||
8510 | addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600); | |
8511 | addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600); | |
8512 | ||
8513 | return 1; | |
8514 | } else if (domain == target && type == QType::DNSKEY) { | |
8515 | ||
8516 | setLWResult(res, 0, true, false, true); | |
8517 | ||
8518 | /* No DNSKEY */ | |
8519 | ||
8520 | return 1; | |
8521 | } | |
8522 | ||
8523 | return 0; | |
8524 | }); | |
8525 | ||
8526 | vector<DNSRecord> ret; | |
8527 | int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
b7f378d1 RG |
8528 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
8529 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
8455425c RG |
8530 | /* 13 NS + 1 RRSIG */ |
8531 | BOOST_REQUIRE_EQUAL(ret.size(), 14); | |
8532 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
b7f378d1 RG |
8533 | |
8534 | /* again, to test the cache */ | |
8535 | ret.clear(); | |
8536 | res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
8537 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8455425c | 8538 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); |
b7f378d1 RG |
8539 | BOOST_REQUIRE_EQUAL(ret.size(), 14); |
8540 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
8455425c RG |
8541 | } |
8542 | ||
8543 | BOOST_AUTO_TEST_CASE(test_dnssec_no_ta) { | |
8544 | std::unique_ptr<SyncRes> sr; | |
895449a5 | 8545 | initSR(sr, true); |
8455425c | 8546 | |
0c43f455 | 8547 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
8455425c RG |
8548 | |
8549 | primeHints(); | |
8550 | const DNSName target("."); | |
b7f378d1 | 8551 | testkeysset_t keys; |
8455425c RG |
8552 | |
8553 | /* Remove the root DS */ | |
8554 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
8555 | luaconfsCopy.dsAnchors.clear(); | |
8556 | g_luaconfs.setState(luaconfsCopy); | |
8557 | ||
8558 | size_t queriesCount = 0; | |
8559 | ||
0bd2e252 | 8560 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
8455425c RG |
8561 | queriesCount++; |
8562 | ||
8563 | if (domain == target && type == QType::NS) { | |
8564 | ||
8565 | setLWResult(res, 0, true, false, true); | |
8566 | char addr[] = "a.root-servers.net."; | |
8567 | for (char idx = 'a'; idx <= 'm'; idx++) { | |
8568 | addr[0] = idx; | |
8569 | addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600); | |
8570 | } | |
8571 | ||
8572 | addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600); | |
8573 | addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600); | |
8574 | ||
8575 | return 1; | |
8576 | } | |
8577 | ||
8578 | return 0; | |
8579 | }); | |
8580 | ||
8581 | vector<DNSRecord> ret; | |
8582 | int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
b7f378d1 RG |
8583 | BOOST_CHECK_EQUAL(res, RCode::NoError); |
8584 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
8455425c RG |
8585 | /* 13 NS + 0 RRSIG */ |
8586 | BOOST_REQUIRE_EQUAL(ret.size(), 13); | |
8587 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
b7f378d1 RG |
8588 | |
8589 | /* again, to test the cache */ | |
8590 | ret.clear(); | |
8591 | res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); | |
8592 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8455425c | 8593 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); |
b7f378d1 RG |
8594 | BOOST_REQUIRE_EQUAL(ret.size(), 13); |
8595 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
8455425c RG |
8596 | } |
8597 | ||
114829cc RG |
8598 | BOOST_AUTO_TEST_CASE(test_dnssec_bogus_nodata) { |
8599 | std::unique_ptr<SyncRes> sr; | |
8600 | initSR(sr, true); | |
8601 | ||
5d7b19c5 | 8602 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); |
114829cc RG |
8603 | |
8604 | primeHints(); | |
8605 | const DNSName target("powerdns.com."); | |
8606 | testkeysset_t keys; | |
8607 | ||
8608 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
8609 | luaconfsCopy.dsAnchors.clear(); | |
8610 | generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
5374b03b | 8611 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); |
114829cc RG |
8612 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); |
8613 | g_luaconfs.setState(luaconfsCopy); | |
8614 | ||
8615 | size_t queriesCount = 0; | |
8616 | ||
0bd2e252 | 8617 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
114829cc RG |
8618 | queriesCount++; |
8619 | ||
5374b03b RG |
8620 | if (type == QType::DS || type == QType::DNSKEY) { |
8621 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
114829cc RG |
8622 | } |
8623 | else { | |
8624 | ||
8625 | setLWResult(res, 0, true, false, true); | |
8626 | return 1; | |
8627 | } | |
8628 | ||
8629 | return 0; | |
8630 | }); | |
8631 | ||
8632 | vector<DNSRecord> ret; | |
8633 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
8634 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8635 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
8636 | BOOST_REQUIRE_EQUAL(ret.size(), 0); | |
8637 | /* com|NS, powerdns.com|NS, powerdns.com|A */ | |
8638 | BOOST_CHECK_EQUAL(queriesCount, 3); | |
8639 | ||
8640 | /* again, to test the cache */ | |
8641 | ret.clear(); | |
8642 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
8643 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
8644 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
8645 | BOOST_REQUIRE_EQUAL(ret.size(), 0); | |
8646 | /* we don't store empty results */ | |
5374b03b | 8647 | BOOST_CHECK_EQUAL(queriesCount, 4); |
114829cc RG |
8648 | } |
8649 | ||
db04449e RG |
8650 | BOOST_AUTO_TEST_CASE(test_nsec_denial_nowrap) { |
8651 | init(); | |
8652 | ||
8653 | testkeysset_t keys; | |
8654 | generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8655 | ||
8656 | vector<DNSRecord> records; | |
8657 | ||
8658 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
8659 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
8660 | ||
8661 | /* | |
8662 | No wrap test case: | |
8663 | a.example.org. -> d.example.org. denies the existence of b.example.org. | |
8664 | */ | |
8665 | addNSECRecordToLW(DNSName("a.example.org."), DNSName("d.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records); | |
8666 | recordContents.push_back(records.at(0).d_content); | |
8667 | addRRSIG(keys, records, DNSName("example.org."), 300); | |
8668 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
8669 | records.clear(); | |
8670 | ||
8671 | ContentSigPair pair; | |
8672 | pair.records = recordContents; | |
8673 | pair.signatures = signatureContents; | |
8674 | cspmap_t denialMap; | |
8675 | denialMap[std::make_pair(DNSName("a.example.org."), QType::NSEC)] = pair; | |
8676 | ||
9b061cf5 RG |
8677 | /* add wildcard denial */ |
8678 | recordContents.clear(); | |
8679 | signatureContents.clear(); | |
8680 | addNSECRecordToLW(DNSName("example.org."), DNSName("+.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records); | |
8681 | recordContents.push_back(records.at(0).d_content); | |
8682 | addRRSIG(keys, records, DNSName("example.org."), 300); | |
8683 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
8684 | records.clear(); | |
8685 | ||
8686 | pair.records = recordContents; | |
8687 | pair.signatures = signatureContents; | |
8688 | denialMap[std::make_pair(DNSName("example.org."), QType::NSEC)] = pair; | |
8689 | ||
00e3fef4 | 8690 | dState denialState = getDenial(denialMap, DNSName("b.example.org."), QType::A, false, false); |
db04449e RG |
8691 | BOOST_CHECK_EQUAL(denialState, NXDOMAIN); |
8692 | ||
00e3fef4 | 8693 | denialState = getDenial(denialMap, DNSName("d.example.org."), QType::A, false, false); |
db04449e RG |
8694 | /* let's check that d.example.org. is not denied by this proof */ |
8695 | BOOST_CHECK_EQUAL(denialState, NODATA); | |
8696 | } | |
8697 | ||
8698 | BOOST_AUTO_TEST_CASE(test_nsec_denial_wrap_case_1) { | |
8699 | init(); | |
8700 | ||
8701 | testkeysset_t keys; | |
8702 | generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8703 | ||
8704 | vector<DNSRecord> records; | |
8705 | ||
8706 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
8707 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
8708 | ||
8709 | /* | |
8710 | Wrap case 1 test case: | |
8711 | z.example.org. -> b.example.org. denies the existence of a.example.org. | |
8712 | */ | |
8713 | addNSECRecordToLW(DNSName("z.example.org."), DNSName("b.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records); | |
8714 | recordContents.push_back(records.at(0).d_content); | |
8715 | addRRSIG(keys, records, DNSName("example.org."), 300); | |
8716 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
8717 | records.clear(); | |
8718 | ||
8719 | ContentSigPair pair; | |
8720 | pair.records = recordContents; | |
8721 | pair.signatures = signatureContents; | |
8722 | cspmap_t denialMap; | |
8723 | denialMap[std::make_pair(DNSName("z.example.org."), QType::NSEC)] = pair; | |
8724 | ||
00e3fef4 | 8725 | dState denialState = getDenial(denialMap, DNSName("a.example.org."), QType::A, false, false); |
db04449e RG |
8726 | BOOST_CHECK_EQUAL(denialState, NXDOMAIN); |
8727 | ||
00e3fef4 | 8728 | denialState = getDenial(denialMap, DNSName("d.example.org."), QType::A, false, false); |
db04449e RG |
8729 | /* let's check that d.example.org. is not denied by this proof */ |
8730 | BOOST_CHECK_EQUAL(denialState, NODATA); | |
8731 | } | |
8732 | ||
8733 | BOOST_AUTO_TEST_CASE(test_nsec_denial_wrap_case_2) { | |
8734 | init(); | |
8735 | ||
8736 | testkeysset_t keys; | |
8737 | generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8738 | ||
8739 | vector<DNSRecord> records; | |
8740 | ||
8741 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
8742 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
8743 | ||
8744 | /* | |
8745 | Wrap case 2 test case: | |
8746 | y.example.org. -> a.example.org. denies the existence of z.example.org. | |
8747 | */ | |
8748 | addNSECRecordToLW(DNSName("y.example.org."), DNSName("a.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records); | |
8749 | recordContents.push_back(records.at(0).d_content); | |
8750 | addRRSIG(keys, records, DNSName("example.org."), 300); | |
8751 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
8752 | records.clear(); | |
8753 | ||
8754 | ContentSigPair pair; | |
8755 | pair.records = recordContents; | |
8756 | pair.signatures = signatureContents; | |
8757 | cspmap_t denialMap; | |
8758 | denialMap[std::make_pair(DNSName("y.example.org."), QType::NSEC)] = pair; | |
8759 | ||
00e3fef4 | 8760 | dState denialState = getDenial(denialMap, DNSName("z.example.org."), QType::A, false, false); |
db04449e RG |
8761 | BOOST_CHECK_EQUAL(denialState, NXDOMAIN); |
8762 | ||
00e3fef4 | 8763 | denialState = getDenial(denialMap, DNSName("d.example.org."), QType::A, false, false); |
db04449e RG |
8764 | /* let's check that d.example.org. is not denied by this proof */ |
8765 | BOOST_CHECK_EQUAL(denialState, NODATA); | |
8766 | } | |
8767 | ||
8768 | BOOST_AUTO_TEST_CASE(test_nsec_denial_only_one_nsec) { | |
8769 | init(); | |
8770 | ||
8771 | testkeysset_t keys; | |
8772 | generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8773 | ||
8774 | vector<DNSRecord> records; | |
8775 | ||
8776 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
8777 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
8778 | ||
8779 | /* | |
8780 | Only one NSEC in the whole zone test case: | |
8781 | a.example.org. -> a.example.org. denies the existence of b.example.org. | |
8782 | */ | |
8783 | addNSECRecordToLW(DNSName("a.example.org."), DNSName("a.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records); | |
8784 | recordContents.push_back(records.at(0).d_content); | |
8785 | addRRSIG(keys, records, DNSName("example.org."), 300); | |
8786 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
8787 | records.clear(); | |
8788 | ||
8789 | ContentSigPair pair; | |
8790 | pair.records = recordContents; | |
8791 | pair.signatures = signatureContents; | |
8792 | cspmap_t denialMap; | |
8793 | denialMap[std::make_pair(DNSName("a.example.org."), QType::NSEC)] = pair; | |
8794 | ||
00e3fef4 | 8795 | dState denialState = getDenial(denialMap, DNSName("b.example.org."), QType::A, false, false); |
db04449e RG |
8796 | BOOST_CHECK_EQUAL(denialState, NXDOMAIN); |
8797 | ||
00e3fef4 | 8798 | denialState = getDenial(denialMap, DNSName("a.example.org."), QType::A, false, false); |
db04449e RG |
8799 | /* let's check that d.example.org. is not denied by this proof */ |
8800 | BOOST_CHECK_EQUAL(denialState, NODATA); | |
8801 | } | |
8802 | ||
1efd998a RG |
8803 | BOOST_AUTO_TEST_CASE(test_nsec_root_nxd_denial) { |
8804 | init(); | |
8805 | ||
8806 | testkeysset_t keys; | |
8807 | generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8808 | ||
8809 | vector<DNSRecord> records; | |
8810 | ||
8811 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
8812 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
8813 | ||
8814 | /* | |
8815 | The RRSIG from "." denies the existence of anything between a. and c., | |
8816 | including b. | |
8817 | */ | |
8818 | addNSECRecordToLW(DNSName("a."), DNSName("c."), { QType::NS }, 600, records); | |
8819 | recordContents.push_back(records.at(0).d_content); | |
8820 | addRRSIG(keys, records, DNSName("."), 300); | |
8821 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
8822 | records.clear(); | |
8823 | ||
8824 | ContentSigPair pair; | |
8825 | pair.records = recordContents; | |
8826 | pair.signatures = signatureContents; | |
8827 | cspmap_t denialMap; | |
8828 | denialMap[std::make_pair(DNSName("a."), QType::NSEC)] = pair; | |
8829 | ||
9b061cf5 RG |
8830 | /* add wildcard denial */ |
8831 | recordContents.clear(); | |
8832 | signatureContents.clear(); | |
8833 | addNSECRecordToLW(DNSName("."), DNSName("+"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records); | |
8834 | recordContents.push_back(records.at(0).d_content); | |
8835 | addRRSIG(keys, records, DNSName("."), 300); | |
8836 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
8837 | records.clear(); | |
8838 | ||
8839 | pair.records = recordContents; | |
8840 | pair.signatures = signatureContents; | |
8841 | denialMap[std::make_pair(DNSName("."), QType::NSEC)] = pair; | |
8842 | ||
00e3fef4 | 8843 | dState denialState = getDenial(denialMap, DNSName("b."), QType::A, false, false); |
1efd998a RG |
8844 | BOOST_CHECK_EQUAL(denialState, NXDOMAIN); |
8845 | } | |
8846 | ||
8847 | BOOST_AUTO_TEST_CASE(test_nsec_ancestor_nxqtype_denial) { | |
8848 | init(); | |
8849 | ||
8850 | testkeysset_t keys; | |
8851 | generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8852 | ||
8853 | vector<DNSRecord> records; | |
8854 | ||
8855 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
8856 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
8857 | ||
8858 | /* | |
8859 | The RRSIG from "." denies the existence of any type except NS at a. | |
8860 | However since it's an ancestor delegation NSEC (NS bit set, SOA bit clear, | |
8861 | signer field that is shorter than the owner name of the NSEC RR) it can't | |
8862 | be used to deny anything except the whole name or a DS. | |
8863 | */ | |
8864 | addNSECRecordToLW(DNSName("a."), DNSName("b."), { QType::NS }, 600, records); | |
8865 | recordContents.push_back(records.at(0).d_content); | |
8866 | addRRSIG(keys, records, DNSName("."), 300); | |
8867 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
8868 | records.clear(); | |
8869 | ||
8870 | ContentSigPair pair; | |
8871 | pair.records = recordContents; | |
8872 | pair.signatures = signatureContents; | |
8873 | cspmap_t denialMap; | |
8874 | denialMap[std::make_pair(DNSName("a."), QType::NSEC)] = pair; | |
8875 | ||
8876 | /* RFC 6840 section 4.1 "Clarifications on Nonexistence Proofs": | |
8877 | Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume | |
8878 | nonexistence of any RRs below that zone cut, which include all RRs at | |
8879 | that (original) owner name other than DS RRs, and all RRs below that | |
8880 | owner name regardless of type. | |
8881 | */ | |
8882 | ||
00e3fef4 | 8883 | dState denialState = getDenial(denialMap, DNSName("a."), QType::A, false, false); |
1efd998a RG |
8884 | /* no data means the qname/qtype is not denied, because an ancestor |
8885 | delegation NSEC can only deny the DS */ | |
8886 | BOOST_CHECK_EQUAL(denialState, NODATA); | |
8887 | ||
5b522864 RG |
8888 | /* it can not be used to deny any RRs below that owner name either */ |
8889 | denialState = getDenial(denialMap, DNSName("sub.a."), QType::A, false, false); | |
8890 | BOOST_CHECK_EQUAL(denialState, NODATA); | |
8891 | ||
00e3fef4 | 8892 | denialState = getDenial(denialMap, DNSName("a."), QType::DS, true, true); |
1efd998a RG |
8893 | BOOST_CHECK_EQUAL(denialState, NXQTYPE); |
8894 | } | |
8895 | ||
95823c07 RG |
8896 | BOOST_AUTO_TEST_CASE(test_nsec_insecure_delegation_denial) { |
8897 | init(); | |
8898 | ||
8899 | testkeysset_t keys; | |
8900 | generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8901 | ||
8902 | vector<DNSRecord> records; | |
8903 | ||
8904 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
8905 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
8906 | ||
8907 | /* | |
8908 | * RFC 5155 section 8.9: | |
8909 | * If there is an NSEC3 RR present in the response that matches the | |
8910 | * delegation name, then the validator MUST ensure that the NS bit is | |
8911 | * set and that the DS bit is not set in the Type Bit Maps field of the | |
8912 | * NSEC3 RR. | |
8913 | */ | |
8914 | /* | |
8915 | The RRSIG from "." denies the existence of any type at a. | |
8916 | NS should be set if it was proving an insecure delegation, let's check that | |
8917 | we correctly detect that it's not. | |
8918 | */ | |
8919 | addNSECRecordToLW(DNSName("a."), DNSName("b."), { }, 600, records); | |
8920 | recordContents.push_back(records.at(0).d_content); | |
8921 | addRRSIG(keys, records, DNSName("."), 300); | |
8922 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
8923 | records.clear(); | |
8924 | ||
8925 | ContentSigPair pair; | |
8926 | pair.records = recordContents; | |
8927 | pair.signatures = signatureContents; | |
8928 | cspmap_t denialMap; | |
8929 | denialMap[std::make_pair(DNSName("a."), QType::NSEC)] = pair; | |
8930 | ||
8931 | /* Insecure because the NS is not set, so while it does | |
8932 | denies the DS, it can't prove an insecure delegation */ | |
00e3fef4 | 8933 | dState denialState = getDenial(denialMap, DNSName("a."), QType::DS, true, true); |
b7c40613 | 8934 | BOOST_CHECK_EQUAL(denialState, NODATA); |
95823c07 RG |
8935 | } |
8936 | ||
9b061cf5 RG |
8937 | BOOST_AUTO_TEST_CASE(test_nsec_nxqtype_cname) { |
8938 | init(); | |
8939 | ||
8940 | testkeysset_t keys; | |
8941 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8942 | ||
8943 | vector<DNSRecord> records; | |
8944 | ||
8945 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
8946 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
8947 | ||
8948 | addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("a.c.powerdns.com."), { QType::CNAME }, 600, records); | |
8949 | recordContents.push_back(records.at(0).d_content); | |
8950 | addRRSIG(keys, records, DNSName("powerdns.com."), 300); | |
8951 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
8952 | records.clear(); | |
8953 | ||
8954 | ContentSigPair pair; | |
8955 | pair.records = recordContents; | |
8956 | pair.signatures = signatureContents; | |
8957 | cspmap_t denialMap; | |
8958 | denialMap[std::make_pair(DNSName("a.powerdns.com."), QType::NSEC)] = pair; | |
8959 | ||
8960 | /* this NSEC is not valid to deny a.powerdns.com|A since it states that a CNAME exists */ | |
8961 | dState denialState = getDenial(denialMap, DNSName("a.powerdns.com."), QType::A, true, true); | |
8962 | BOOST_CHECK_EQUAL(denialState, NODATA); | |
8963 | } | |
8964 | ||
8965 | BOOST_AUTO_TEST_CASE(test_nsec3_nxqtype_cname) { | |
8966 | init(); | |
8967 | ||
8968 | testkeysset_t keys; | |
8969 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8970 | ||
8971 | vector<DNSRecord> records; | |
8972 | ||
8973 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
8974 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
8975 | ||
8976 | addNSEC3UnhashedRecordToLW(DNSName("a.powerdns.com."), DNSName("powerdns.com."), "whatever", { QType::CNAME }, 600, records); | |
8977 | recordContents.push_back(records.at(0).d_content); | |
8978 | addRRSIG(keys, records, DNSName("powerdns.com."), 300); | |
8979 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
8980 | ||
8981 | ContentSigPair pair; | |
8982 | pair.records = recordContents; | |
8983 | pair.signatures = signatureContents; | |
8984 | cspmap_t denialMap; | |
8985 | denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair; | |
8986 | records.clear(); | |
8987 | ||
8988 | /* this NSEC3 is not valid to deny a.powerdns.com|A since it states that a CNAME exists */ | |
8989 | dState denialState = getDenial(denialMap, DNSName("a.powerdns.com."), QType::A, false, true); | |
8990 | BOOST_CHECK_EQUAL(denialState, NODATA); | |
8991 | } | |
8992 | ||
8993 | BOOST_AUTO_TEST_CASE(test_nsec_nxdomain_denial_missing_wildcard) { | |
8994 | init(); | |
8995 | ||
8996 | testkeysset_t keys; | |
8997 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
8998 | ||
8999 | vector<DNSRecord> records; | |
9000 | ||
9001 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
9002 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
9003 | ||
9004 | addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("d.powerdns.com"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records); | |
9005 | recordContents.push_back(records.at(0).d_content); | |
9006 | addRRSIG(keys, records, DNSName("powerdns.com."), 300); | |
9007 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
9008 | records.clear(); | |
9009 | ||
9010 | ContentSigPair pair; | |
9011 | pair.records = recordContents; | |
9012 | pair.signatures = signatureContents; | |
9013 | cspmap_t denialMap; | |
9014 | denialMap[std::make_pair(DNSName("a.powerdns.com."), QType::NSEC)] = pair; | |
9015 | ||
9016 | dState denialState = getDenial(denialMap, DNSName("b.powerdns.com."), QType::A, false, false); | |
9017 | BOOST_CHECK_EQUAL(denialState, NODATA); | |
9018 | } | |
9019 | ||
9020 | BOOST_AUTO_TEST_CASE(test_nsec3_nxdomain_denial_missing_wildcard) { | |
9021 | init(); | |
9022 | ||
9023 | testkeysset_t keys; | |
9024 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
9025 | ||
9026 | vector<DNSRecord> records; | |
9027 | ||
9028 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
9029 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
9030 | ||
9031 | addNSEC3NarrowRecordToLW(DNSName("a.powerdns.com."), DNSName("powerdns.com."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records); | |
9032 | recordContents.push_back(records.at(0).d_content); | |
9033 | addRRSIG(keys, records, DNSName("powerdns.com."), 300); | |
9034 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
9035 | ||
9036 | ContentSigPair pair; | |
9037 | pair.records = recordContents; | |
9038 | pair.signatures = signatureContents; | |
9039 | cspmap_t denialMap; | |
9040 | denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair; | |
9041 | ||
9042 | /* Add NSEC3 for the closest encloser */ | |
9043 | recordContents.clear(); | |
9044 | signatureContents.clear(); | |
9045 | records.clear(); | |
9046 | addNSEC3UnhashedRecordToLW(DNSName("powerdns.com."), DNSName("powerdns.com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records); | |
9047 | recordContents.push_back(records.at(0).d_content); | |
9048 | addRRSIG(keys, records, DNSName("powerdns.com."), 300); | |
9049 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
9050 | ||
9051 | pair.records = recordContents; | |
9052 | pair.signatures = signatureContents; | |
9053 | denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair; | |
9054 | ||
9055 | dState denialState = getDenial(denialMap, DNSName("b.powerdns.com."), QType::A, false, false); | |
9056 | BOOST_CHECK_EQUAL(denialState, NODATA); | |
9057 | } | |
9058 | ||
00e3fef4 RG |
9059 | BOOST_AUTO_TEST_CASE(test_nsec_ent_denial) { |
9060 | init(); | |
9061 | ||
9062 | testkeysset_t keys; | |
9063 | generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
9064 | ||
9065 | vector<DNSRecord> records; | |
9066 | ||
9067 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
9068 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
9069 | ||
9070 | addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("a.c.powerdns.com."), { QType::A }, 600, records); | |
9071 | recordContents.push_back(records.at(0).d_content); | |
9072 | addRRSIG(keys, records, DNSName("powerdns.com."), 300); | |
9073 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
9074 | records.clear(); | |
9075 | ||
9076 | ContentSigPair pair; | |
9077 | pair.records = recordContents; | |
9078 | pair.signatures = signatureContents; | |
9079 | cspmap_t denialMap; | |
9080 | denialMap[std::make_pair(DNSName("a.powerdns.com."), QType::NSEC)] = pair; | |
9081 | ||
9b061cf5 | 9082 | /* this NSEC is valid to prove a NXQTYPE at c.powerdns.com because it proves that |
00e3fef4 | 9083 | it is an ENT */ |
9b061cf5 | 9084 | dState denialState = getDenial(denialMap, DNSName("c.powerdns.com."), QType::AAAA, true, true); |
00e3fef4 | 9085 | BOOST_CHECK_EQUAL(denialState, NXQTYPE); |
00be1ff6 | 9086 | |
9b061cf5 RG |
9087 | /* this NSEC is not valid to prove a NXQTYPE at b.powerdns.com, |
9088 | it could prove a NXDOMAIN if it had an additional wildcard denial */ | |
9089 | denialState = getDenial(denialMap, DNSName("b.powerdns.com."), QType::AAAA, true, true); | |
9090 | BOOST_CHECK_EQUAL(denialState, NODATA); | |
9091 | ||
00be1ff6 RG |
9092 | /* this NSEC is not valid to prove a NXQTYPE for QType::A at a.c.powerdns.com either */ |
9093 | denialState = getDenial(denialMap, DNSName("a.c.powerdns.com."), QType::A, true, true); | |
9094 | BOOST_CHECK_EQUAL(denialState, NODATA); | |
9b061cf5 RG |
9095 | |
9096 | /* if we add the wildcard denial proof, we should get a NXDOMAIN proof for b.powerdns.com */ | |
9097 | recordContents.clear(); | |
9098 | signatureContents.clear(); | |
9099 | addNSECRecordToLW(DNSName(").powerdns.com."), DNSName("+.powerdns.com."), { }, 600, records); | |
9100 | recordContents.push_back(records.at(0).d_content); | |
9101 | addRRSIG(keys, records, DNSName("powerdns.com."), 300); | |
9102 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
9103 | records.clear(); | |
9104 | pair.records = recordContents; | |
9105 | pair.signatures = signatureContents; | |
9106 | denialMap[std::make_pair(DNSName(").powerdns.com."), QType::NSEC)] = pair; | |
9107 | ||
82566a96 | 9108 | denialState = getDenial(denialMap, DNSName("b.powerdns.com."), QType::A, true, false); |
9b061cf5 | 9109 | BOOST_CHECK_EQUAL(denialState, NXDOMAIN); |
00e3fef4 RG |
9110 | } |
9111 | ||
95823c07 RG |
9112 | BOOST_AUTO_TEST_CASE(test_nsec3_ancestor_nxqtype_denial) { |
9113 | init(); | |
9114 | ||
9115 | testkeysset_t keys; | |
9116 | generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
9117 | ||
9118 | vector<DNSRecord> records; | |
9119 | ||
9120 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
9121 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
9122 | ||
9123 | /* | |
9124 | The RRSIG from "." denies the existence of any type except NS at a. | |
9125 | However since it's an ancestor delegation NSEC (NS bit set, SOA bit clear, | |
9126 | signer field that is shorter than the owner name of the NSEC RR) it can't | |
9127 | be used to deny anything except the whole name or a DS. | |
9128 | */ | |
9b061cf5 | 9129 | addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", { QType::NS }, 600, records); |
95823c07 RG |
9130 | recordContents.push_back(records.at(0).d_content); |
9131 | addRRSIG(keys, records, DNSName("."), 300); | |
9132 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
9133 | ||
9134 | ContentSigPair pair; | |
9135 | pair.records = recordContents; | |
9136 | pair.signatures = signatureContents; | |
9137 | cspmap_t denialMap; | |
9138 | denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair; | |
9139 | records.clear(); | |
9140 | ||
9141 | /* RFC 6840 section 4.1 "Clarifications on Nonexistence Proofs": | |
9142 | Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume | |
9143 | nonexistence of any RRs below that zone cut, which include all RRs at | |
9144 | that (original) owner name other than DS RRs, and all RRs below that | |
9145 | owner name regardless of type. | |
9146 | */ | |
9147 | ||
00e3fef4 | 9148 | dState denialState = getDenial(denialMap, DNSName("a."), QType::A, false, true); |
95823c07 RG |
9149 | /* no data means the qname/qtype is not denied, because an ancestor |
9150 | delegation NSEC3 can only deny the DS */ | |
9151 | BOOST_CHECK_EQUAL(denialState, NODATA); | |
9152 | ||
00e3fef4 | 9153 | denialState = getDenial(denialMap, DNSName("a."), QType::DS, true, true); |
95823c07 | 9154 | BOOST_CHECK_EQUAL(denialState, NXQTYPE); |
5b522864 RG |
9155 | |
9156 | /* it can not be used to deny any RRs below that owner name either */ | |
9157 | /* Add NSEC3 for the next closer */ | |
9158 | recordContents.clear(); | |
9159 | signatureContents.clear(); | |
9160 | records.clear(); | |
9161 | addNSEC3NarrowRecordToLW(DNSName("sub.a."), DNSName("."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC3 }, 600, records); | |
9162 | recordContents.push_back(records.at(0).d_content); | |
9163 | addRRSIG(keys, records, DNSName("."), 300); | |
9164 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
9165 | ||
9166 | pair.records = recordContents; | |
9167 | pair.signatures = signatureContents; | |
9168 | denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair; | |
9169 | ||
9170 | /* add wildcard denial */ | |
9171 | recordContents.clear(); | |
9172 | signatureContents.clear(); | |
9173 | records.clear(); | |
9174 | addNSEC3NarrowRecordToLW(DNSName("*.a."), DNSName("."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC3 }, 600, records); | |
9175 | recordContents.push_back(records.at(0).d_content); | |
9176 | addRRSIG(keys, records, DNSName("."), 300); | |
9177 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
9178 | ||
9179 | pair.records = recordContents; | |
9180 | pair.signatures = signatureContents; | |
9181 | denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair; | |
9182 | ||
9183 | denialState = getDenial(denialMap, DNSName("sub.a."), QType::A, false, true); | |
9184 | BOOST_CHECK_EQUAL(denialState, NODATA); | |
95823c07 RG |
9185 | } |
9186 | ||
b7c40613 RG |
9187 | BOOST_AUTO_TEST_CASE(test_nsec3_denial_too_many_iterations) { |
9188 | init(); | |
9189 | ||
9190 | testkeysset_t keys; | |
9191 | generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
9192 | ||
9193 | vector<DNSRecord> records; | |
9194 | ||
9195 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
9196 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
9197 | ||
9198 | /* adding a NSEC3 with more iterations that we support */ | |
9199 | addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", { QType::AAAA }, 600, records, g_maxNSEC3Iterations + 100); | |
9200 | recordContents.push_back(records.at(0).d_content); | |
9201 | addRRSIG(keys, records, DNSName("."), 300); | |
9202 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
9203 | ||
9204 | ContentSigPair pair; | |
9205 | pair.records = recordContents; | |
9206 | pair.signatures = signatureContents; | |
9207 | cspmap_t denialMap; | |
9208 | denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair; | |
9209 | records.clear(); | |
9210 | ||
9211 | dState denialState = getDenial(denialMap, DNSName("a."), QType::A, false, true); | |
9212 | /* since we refuse to compute more than g_maxNSEC3Iterations iterations, it should be Insecure */ | |
9213 | BOOST_CHECK_EQUAL(denialState, INSECURE); | |
9214 | } | |
9215 | ||
95823c07 RG |
9216 | BOOST_AUTO_TEST_CASE(test_nsec3_insecure_delegation_denial) { |
9217 | init(); | |
9218 | ||
9219 | testkeysset_t keys; | |
9220 | generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
9221 | ||
9222 | vector<DNSRecord> records; | |
9223 | ||
9224 | vector<shared_ptr<DNSRecordContent>> recordContents; | |
9225 | vector<shared_ptr<RRSIGRecordContent>> signatureContents; | |
9226 | ||
9227 | /* | |
9228 | * RFC 5155 section 8.9: | |
9229 | * If there is an NSEC3 RR present in the response that matches the | |
9230 | * delegation name, then the validator MUST ensure that the NS bit is | |
9231 | * set and that the DS bit is not set in the Type Bit Maps field of the | |
9232 | * NSEC3 RR. | |
9233 | */ | |
9234 | /* | |
9235 | The RRSIG from "." denies the existence of any type at a. | |
9236 | NS should be set if it was proving an insecure delegation, let's check that | |
9237 | we correctly detect that it's not. | |
9238 | */ | |
9b061cf5 | 9239 | addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", { }, 600, records); |
95823c07 RG |
9240 | recordContents.push_back(records.at(0).d_content); |
9241 | addRRSIG(keys, records, DNSName("."), 300); | |
9242 | signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1))); | |
9243 | ||
9244 | ContentSigPair pair; | |
9245 | pair.records = recordContents; | |
9246 | pair.signatures = signatureContents; | |
9247 | cspmap_t denialMap; | |
9248 | denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair; | |
9249 | records.clear(); | |
9250 | ||
9251 | /* Insecure because the NS is not set, so while it does | |
9252 | denies the DS, it can't prove an insecure delegation */ | |
00e3fef4 | 9253 | dState denialState = getDenial(denialMap, DNSName("a."), QType::DS, true, true); |
b7c40613 | 9254 | BOOST_CHECK_EQUAL(denialState, NODATA); |
95823c07 RG |
9255 | } |
9256 | ||
dbbef467 RG |
9257 | BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_negcache_validity) { |
9258 | std::unique_ptr<SyncRes> sr; | |
dbbef467 RG |
9259 | initSR(sr, true); |
9260 | ||
9261 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
9262 | ||
9263 | primeHints(); | |
9264 | const DNSName target("com."); | |
9265 | testkeysset_t keys; | |
9266 | ||
9267 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
9268 | luaconfsCopy.dsAnchors.clear(); | |
9269 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
9270 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
9271 | g_luaconfs.setState(luaconfsCopy); | |
9272 | ||
9273 | size_t queriesCount = 0; | |
1e2e06f1 | 9274 | const time_t fixedNow = sr->getNow().tv_sec; |
dbbef467 | 9275 | |
1e2e06f1 | 9276 | sr->setAsyncCallback([target,&queriesCount,keys,fixedNow](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
dbbef467 RG |
9277 | queriesCount++; |
9278 | ||
9279 | DNSName auth = domain; | |
9280 | auth.chopOff(); | |
9281 | ||
9282 | if (type == QType::DS || type == QType::DNSKEY) { | |
9283 | return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); | |
9284 | } | |
9285 | else { | |
9286 | setLWResult(res, RCode::NoError, true, false, true); | |
9287 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
9288 | addRRSIG(keys, res->d_records, domain, 300); | |
9289 | addNSECRecordToLW(domain, DNSName("z."), { QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
1e2e06f1 | 9290 | addRRSIG(keys, res->d_records, domain, 1, false, boost::none, boost::none, fixedNow); |
dbbef467 RG |
9291 | return 1; |
9292 | } | |
9293 | ||
9294 | return 0; | |
9295 | }); | |
9296 | ||
9297 | vector<DNSRecord> ret; | |
9298 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9299 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9300 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
9301 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
9302 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
9303 | ||
9304 | /* check that the entry has not been negatively cached for longer than the RRSIG validity */ | |
28364e4b | 9305 | const NegCache::NegCacheEntry* ne = nullptr; |
dbbef467 | 9306 | BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1); |
28364e4b | 9307 | BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true); |
1e2e06f1 | 9308 | BOOST_CHECK_EQUAL(ne->d_ttd, fixedNow + 1); |
28364e4b RG |
9309 | BOOST_CHECK_EQUAL(ne->d_validationState, Secure); |
9310 | BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1); | |
9311 | BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1); | |
9312 | BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 1); | |
9313 | BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 1); | |
dbbef467 RG |
9314 | |
9315 | /* again, to test the cache */ | |
9316 | ret.clear(); | |
9317 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9318 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9319 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
9320 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
9321 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
9322 | } | |
9323 | ||
9324 | BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_cache_validity) { | |
9325 | std::unique_ptr<SyncRes> sr; | |
dbbef467 RG |
9326 | initSR(sr, true); |
9327 | ||
9328 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
9329 | ||
9330 | primeHints(); | |
9331 | const DNSName target("com."); | |
9332 | const ComboAddress targetAddr("192.0.2.42"); | |
9333 | testkeysset_t keys; | |
9334 | ||
9335 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
9336 | luaconfsCopy.dsAnchors.clear(); | |
9337 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
9338 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
9339 | g_luaconfs.setState(luaconfsCopy); | |
9340 | ||
9341 | size_t queriesCount = 0; | |
73c165ed | 9342 | const time_t tnow = sr->getNow().tv_sec; |
dbbef467 | 9343 | |
73c165ed | 9344 | sr->setAsyncCallback([target,targetAddr,&queriesCount,keys,tnow](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
dbbef467 RG |
9345 | queriesCount++; |
9346 | ||
9347 | DNSName auth = domain; | |
9348 | auth.chopOff(); | |
9349 | ||
9350 | if (type == QType::DS || type == QType::DNSKEY) { | |
9351 | return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); | |
9352 | } | |
9353 | else { | |
9354 | setLWResult(res, RCode::NoError, true, false, true); | |
9355 | addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); | |
73c165ed | 9356 | addRRSIG(keys, res->d_records, domain, 1, false, boost::none, boost::none, tnow); |
dbbef467 RG |
9357 | return 1; |
9358 | } | |
9359 | ||
9360 | return 0; | |
9361 | }); | |
9362 | ||
9363 | vector<DNSRecord> ret; | |
9364 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9365 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9366 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
9367 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
9368 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
9369 | ||
9370 | /* check that the entry has not been cached for longer than the RRSIG validity */ | |
9371 | const ComboAddress who; | |
9372 | vector<DNSRecord> cached; | |
9373 | vector<std::shared_ptr<RRSIGRecordContent>> signatures; | |
73c165ed | 9374 | BOOST_REQUIRE_EQUAL(t_RC->get(tnow, target, QType(QType::A), true, &cached, who, &signatures), 1); |
dbbef467 RG |
9375 | BOOST_REQUIRE_EQUAL(cached.size(), 1); |
9376 | BOOST_REQUIRE_EQUAL(signatures.size(), 1); | |
73c165ed | 9377 | BOOST_CHECK_EQUAL((cached[0].d_ttl - tnow), 1); |
dbbef467 RG |
9378 | |
9379 | /* again, to test the cache */ | |
9380 | ret.clear(); | |
9381 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9382 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9383 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
9384 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
9385 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
9386 | } | |
9387 | ||
f4de85a3 RG |
9388 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_secure) { |
9389 | /* | |
9390 | Validation is optional, and the first query does not ask for it, | |
9391 | so the answer is cached as Indeterminate. | |
9392 | The second query asks for validation, answer should be marked as | |
9393 | Secure. | |
9394 | */ | |
9395 | std::unique_ptr<SyncRes> sr; | |
9396 | initSR(sr, true); | |
9397 | ||
9398 | setDNSSECValidation(sr, DNSSECMode::Process); | |
9399 | ||
9400 | primeHints(); | |
9401 | const DNSName target("com."); | |
9402 | testkeysset_t keys; | |
9403 | ||
9404 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
9405 | luaconfsCopy.dsAnchors.clear(); | |
9406 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
9407 | g_luaconfs.setState(luaconfsCopy); | |
9408 | ||
9409 | size_t queriesCount = 0; | |
9410 | ||
0bd2e252 | 9411 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f4de85a3 RG |
9412 | queriesCount++; |
9413 | ||
9414 | if (type == QType::DS || type == QType::DNSKEY) { | |
9415 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false); | |
9416 | } | |
9417 | else { | |
9418 | if (domain == target && type == QType::A) { | |
9419 | setLWResult(res, 0, true, false, true); | |
9420 | addRecordToLW(res, target, QType::A, "192.0.2.1"); | |
9421 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
9422 | return 1; | |
9423 | } | |
9424 | } | |
9425 | ||
9426 | return 0; | |
9427 | }); | |
9428 | ||
9429 | vector<DNSRecord> ret; | |
9430 | /* first query does not require validation */ | |
9431 | sr->setDNSSECValidationRequested(false); | |
9432 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9433 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9434 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
9435 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
9436 | for (const auto& record : ret) { | |
9437 | BOOST_CHECK(record.d_type == QType::A || record.d_type == QType::RRSIG); | |
9438 | } | |
9439 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
9440 | ||
9441 | ||
9442 | ret.clear(); | |
9443 | /* second one _does_ require validation */ | |
9444 | sr->setDNSSECValidationRequested(true); | |
9445 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9446 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9447 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
9448 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
9449 | for (const auto& record : ret) { | |
9450 | BOOST_CHECK(record.d_type == QType::A || record.d_type == QType::RRSIG); | |
9451 | } | |
9452 | BOOST_CHECK_EQUAL(queriesCount, 3); | |
9453 | } | |
9454 | ||
9455 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_insecure) { | |
9456 | /* | |
9457 | Validation is optional, and the first query does not ask for it, | |
9458 | so the answer is cached as Indeterminate. | |
9459 | The second query asks for validation, answer should be marked as | |
9460 | Insecure. | |
9461 | */ | |
9462 | std::unique_ptr<SyncRes> sr; | |
9463 | initSR(sr, true); | |
9464 | ||
9465 | setDNSSECValidation(sr, DNSSECMode::Process); | |
9466 | ||
9467 | primeHints(); | |
9468 | const DNSName target("com."); | |
9469 | testkeysset_t keys; | |
9470 | ||
9471 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
9472 | luaconfsCopy.dsAnchors.clear(); | |
9473 | g_luaconfs.setState(luaconfsCopy); | |
9474 | ||
9475 | size_t queriesCount = 0; | |
9476 | ||
0bd2e252 | 9477 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f4de85a3 RG |
9478 | queriesCount++; |
9479 | ||
9480 | if (type == QType::DS || type == QType::DNSKEY) { | |
9481 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false); | |
9482 | } | |
9483 | else { | |
9484 | if (domain == target && type == QType::A) { | |
9485 | setLWResult(res, 0, true, false, true); | |
9486 | addRecordToLW(res, target, QType::A, "192.0.2.1"); | |
9487 | return 1; | |
9488 | } | |
9489 | } | |
9490 | ||
9491 | return 0; | |
9492 | }); | |
9493 | ||
9494 | vector<DNSRecord> ret; | |
9495 | /* first query does not require validation */ | |
9496 | sr->setDNSSECValidationRequested(false); | |
9497 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9498 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9499 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
9500 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
9501 | for (const auto& record : ret) { | |
55acb073 | 9502 | BOOST_CHECK(record.d_type == QType::A); |
f4de85a3 RG |
9503 | } |
9504 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
9505 | ||
9506 | ||
9507 | ret.clear(); | |
9508 | /* second one _does_ require validation */ | |
9509 | sr->setDNSSECValidationRequested(true); | |
9510 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9511 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9512 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
9513 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
9514 | for (const auto& record : ret) { | |
55acb073 | 9515 | BOOST_CHECK(record.d_type == QType::A); |
f4de85a3 RG |
9516 | } |
9517 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
9518 | } | |
9519 | ||
9520 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_bogus) { | |
9521 | /* | |
9522 | Validation is optional, and the first query does not ask for it, | |
9523 | so the answer is cached as Indeterminate. | |
9524 | The second query asks for validation, answer should be marked as | |
9525 | Bogus. | |
9526 | */ | |
9527 | std::unique_ptr<SyncRes> sr; | |
9528 | initSR(sr, true); | |
9529 | ||
9530 | setDNSSECValidation(sr, DNSSECMode::Process); | |
9531 | ||
9532 | primeHints(); | |
9533 | const DNSName target("com."); | |
9534 | testkeysset_t keys; | |
9535 | ||
9536 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
9537 | luaconfsCopy.dsAnchors.clear(); | |
9538 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
9539 | g_luaconfs.setState(luaconfsCopy); | |
9540 | ||
9541 | size_t queriesCount = 0; | |
9542 | ||
0bd2e252 | 9543 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f4de85a3 RG |
9544 | queriesCount++; |
9545 | ||
9546 | if (type == QType::DS || type == QType::DNSKEY) { | |
9547 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false); | |
9548 | } | |
9549 | else { | |
9550 | if (domain == target && type == QType::A) { | |
9551 | setLWResult(res, 0, true, false, true); | |
9552 | addRecordToLW(res, target, QType::A, "192.0.2.1"); | |
9553 | /* no RRSIG */ | |
9554 | return 1; | |
9555 | } | |
9556 | } | |
9557 | ||
9558 | return 0; | |
9559 | }); | |
9560 | ||
9561 | vector<DNSRecord> ret; | |
9562 | /* first query does not require validation */ | |
9563 | sr->setDNSSECValidationRequested(false); | |
9564 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9565 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9566 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
9567 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
9568 | for (const auto& record : ret) { | |
55acb073 | 9569 | BOOST_CHECK(record.d_type == QType::A); |
f4de85a3 RG |
9570 | } |
9571 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
9572 | ||
9573 | ||
9574 | ret.clear(); | |
9575 | /* second one _does_ require validation */ | |
9576 | sr->setDNSSECValidationRequested(true); | |
9577 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9578 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9579 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
9580 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
9581 | for (const auto& record : ret) { | |
55acb073 | 9582 | BOOST_CHECK(record.d_type == QType::A); |
f4de85a3 RG |
9583 | } |
9584 | BOOST_CHECK_EQUAL(queriesCount, 3); | |
9585 | } | |
9586 | ||
55acb073 RG |
9587 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cname_cache_secure) { |
9588 | /* | |
9589 | Validation is optional, and the first query does not ask for it, | |
9590 | so the answer is cached as Indeterminate. | |
9591 | The second query asks for validation, answer should be marked as | |
9592 | Secure. | |
9593 | */ | |
9594 | std::unique_ptr<SyncRes> sr; | |
9595 | initSR(sr, true); | |
9596 | ||
9597 | setDNSSECValidation(sr, DNSSECMode::Process); | |
9598 | ||
9599 | primeHints(); | |
9600 | const DNSName target("com."); | |
9601 | const DNSName cnameTarget("cname-com."); | |
9602 | testkeysset_t keys; | |
9603 | ||
9604 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
9605 | luaconfsCopy.dsAnchors.clear(); | |
9606 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
9607 | g_luaconfs.setState(luaconfsCopy); | |
9608 | ||
9609 | size_t queriesCount = 0; | |
9610 | ||
0bd2e252 | 9611 | sr->setAsyncCallback([target,cnameTarget,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
55acb073 RG |
9612 | queriesCount++; |
9613 | ||
9614 | if (type == QType::DS || type == QType::DNSKEY) { | |
9615 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false); | |
9616 | } | |
9617 | else { | |
9618 | if (domain == target && type == QType::A) { | |
9619 | setLWResult(res, 0, true, false, true); | |
9620 | addRecordToLW(res, target, QType::CNAME, cnameTarget.toString()); | |
9621 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
9622 | addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1"); | |
9623 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
9624 | return 1; | |
9625 | } else if (domain == cnameTarget && type == QType::A) { | |
9626 | setLWResult(res, 0, true, false, true); | |
9627 | addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1"); | |
9628 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
9629 | return 1; | |
9630 | } | |
9631 | } | |
9632 | ||
9633 | return 0; | |
9634 | }); | |
9635 | ||
9636 | vector<DNSRecord> ret; | |
9637 | /* first query does not require validation */ | |
9638 | sr->setDNSSECValidationRequested(false); | |
9639 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9640 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9641 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
9642 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
9643 | for (const auto& record : ret) { | |
9644 | BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A || record.d_type == QType::RRSIG); | |
9645 | } | |
9646 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
9647 | ||
9648 | ||
9649 | ret.clear(); | |
9650 | /* second one _does_ require validation */ | |
9651 | sr->setDNSSECValidationRequested(true); | |
9652 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9653 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9654 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
9655 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
9656 | for (const auto& record : ret) { | |
9657 | BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A || record.d_type == QType::RRSIG); | |
9658 | } | |
9659 | BOOST_CHECK_EQUAL(queriesCount, 5); | |
9660 | } | |
9661 | ||
9662 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cname_cache_insecure) { | |
9663 | /* | |
9664 | Validation is optional, and the first query does not ask for it, | |
9665 | so the answer is cached as Indeterminate. | |
9666 | The second query asks for validation, answer should be marked as | |
9667 | Insecure. | |
9668 | */ | |
9669 | std::unique_ptr<SyncRes> sr; | |
9670 | initSR(sr, true); | |
9671 | ||
9672 | setDNSSECValidation(sr, DNSSECMode::Process); | |
9673 | ||
9674 | primeHints(); | |
9675 | const DNSName target("com."); | |
9676 | const DNSName cnameTarget("cname-com."); | |
9677 | testkeysset_t keys; | |
9678 | ||
9679 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
9680 | luaconfsCopy.dsAnchors.clear(); | |
9681 | g_luaconfs.setState(luaconfsCopy); | |
9682 | ||
9683 | size_t queriesCount = 0; | |
9684 | ||
0bd2e252 | 9685 | sr->setAsyncCallback([target,cnameTarget,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
55acb073 RG |
9686 | queriesCount++; |
9687 | ||
9688 | if (type == QType::DS || type == QType::DNSKEY) { | |
9689 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false); | |
9690 | } | |
9691 | else { | |
9692 | if (domain == target && type == QType::A) { | |
9693 | setLWResult(res, 0, true, false, true); | |
9694 | addRecordToLW(res, target, QType::CNAME, cnameTarget.toString()); | |
9695 | addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1"); | |
9696 | return 1; | |
9697 | } else if (domain == cnameTarget && type == QType::A) { | |
9698 | setLWResult(res, 0, true, false, true); | |
9699 | addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1"); | |
9700 | return 1; | |
9701 | } | |
9702 | } | |
9703 | ||
9704 | return 0; | |
9705 | }); | |
9706 | ||
9707 | vector<DNSRecord> ret; | |
9708 | /* first query does not require validation */ | |
9709 | sr->setDNSSECValidationRequested(false); | |
9710 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9711 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9712 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
9713 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
9714 | for (const auto& record : ret) { | |
9715 | BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A); | |
9716 | } | |
9717 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
9718 | ||
9719 | ||
9720 | ret.clear(); | |
9721 | /* second one _does_ require validation */ | |
9722 | sr->setDNSSECValidationRequested(true); | |
9723 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9724 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9725 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
9726 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
9727 | for (const auto& record : ret) { | |
9728 | BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A); | |
9729 | } | |
9730 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
9731 | } | |
9732 | ||
9733 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cname_cache_bogus) { | |
9734 | /* | |
9735 | Validation is optional, and the first query does not ask for it, | |
9736 | so the answer is cached as Indeterminate. | |
9737 | The second query asks for validation, answer should be marked as | |
9738 | Bogus. | |
9739 | */ | |
9740 | std::unique_ptr<SyncRes> sr; | |
9741 | initSR(sr, true); | |
9742 | ||
9743 | setDNSSECValidation(sr, DNSSECMode::Process); | |
9744 | ||
9745 | primeHints(); | |
9746 | const DNSName target("com."); | |
9747 | const DNSName cnameTarget("cname-com."); | |
9748 | testkeysset_t keys; | |
9749 | ||
9750 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
9751 | luaconfsCopy.dsAnchors.clear(); | |
9752 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
9753 | g_luaconfs.setState(luaconfsCopy); | |
9754 | ||
9755 | size_t queriesCount = 0; | |
9756 | ||
0bd2e252 | 9757 | sr->setAsyncCallback([target,cnameTarget,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
55acb073 RG |
9758 | queriesCount++; |
9759 | ||
9760 | if (type == QType::DS || type == QType::DNSKEY) { | |
9761 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false); | |
9762 | } | |
9763 | else { | |
9764 | if (domain == target && type == QType::A) { | |
9765 | setLWResult(res, 0, true, false, true); | |
9766 | addRecordToLW(res, target, QType::CNAME, cnameTarget.toString()); | |
9767 | addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1"); | |
9768 | /* no RRSIG */ | |
9769 | return 1; | |
9770 | } else if (domain == cnameTarget && type == QType::A) { | |
9771 | setLWResult(res, 0, true, false, true); | |
9772 | addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1"); | |
9773 | /* no RRSIG */ | |
9774 | return 1; | |
9775 | } | |
9776 | } | |
9777 | ||
9778 | return 0; | |
9779 | }); | |
9780 | ||
9781 | vector<DNSRecord> ret; | |
9782 | /* first query does not require validation */ | |
9783 | sr->setDNSSECValidationRequested(false); | |
9784 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9785 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9786 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
9787 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
9788 | for (const auto& record : ret) { | |
9789 | BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A); | |
9790 | } | |
9791 | BOOST_CHECK_EQUAL(queriesCount, 2); | |
9792 | ||
9793 | ||
9794 | ret.clear(); | |
9795 | /* second one _does_ require validation */ | |
9796 | sr->setDNSSECValidationRequested(true); | |
9797 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9798 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9799 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
9800 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
9801 | for (const auto& record : ret) { | |
9802 | BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A); | |
9803 | } | |
9804 | BOOST_CHECK_EQUAL(queriesCount, 5); | |
9805 | } | |
9806 | ||
405a26bd RG |
9807 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_additional_without_rrsig) { |
9808 | /* | |
9809 | We get a record from a secure zone in the additional section, without | |
9810 | the corresponding RRSIG. The record should not be marked as authoritative | |
9811 | and should be correctly validated. | |
9812 | */ | |
9813 | std::unique_ptr<SyncRes> sr; | |
9814 | initSR(sr, true); | |
9815 | ||
9816 | setDNSSECValidation(sr, DNSSECMode::Process); | |
9817 | ||
9818 | primeHints(); | |
9819 | const DNSName target("com."); | |
9820 | const DNSName addTarget("nsX.com."); | |
9821 | testkeysset_t keys; | |
9822 | ||
9823 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
9824 | luaconfsCopy.dsAnchors.clear(); | |
9825 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
9826 | g_luaconfs.setState(luaconfsCopy); | |
9827 | ||
9828 | size_t queriesCount = 0; | |
9829 | ||
0bd2e252 | 9830 | sr->setAsyncCallback([target,addTarget,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
405a26bd RG |
9831 | queriesCount++; |
9832 | ||
9833 | if (type == QType::DS || type == QType::DNSKEY) { | |
9834 | if (domain == addTarget) { | |
9835 | DNSName auth(domain); | |
9836 | /* no DS for com, auth will be . */ | |
9837 | auth.chopOff(); | |
9838 | return genericDSAndDNSKEYHandler(res, domain, auth, type, keys, false); | |
9839 | } | |
9840 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false); | |
9841 | } | |
9842 | else { | |
9843 | if (domain == target && type == QType::A) { | |
9844 | setLWResult(res, 0, true, false, true); | |
9845 | addRecordToLW(res, target, QType::A, "192.0.2.1"); | |
9846 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
9847 | addRecordToLW(res, addTarget, QType::A, "192.0.2.42", DNSResourceRecord::ADDITIONAL); | |
9848 | /* no RRSIG for the additional record */ | |
9849 | return 1; | |
9850 | } else if (domain == addTarget && type == QType::A) { | |
9851 | setLWResult(res, 0, true, false, true); | |
9852 | addRecordToLW(res, addTarget, QType::A, "192.0.2.42"); | |
9853 | addRRSIG(keys, res->d_records, DNSName("."), 300); | |
9854 | return 1; | |
9855 | } | |
9856 | } | |
9857 | ||
9858 | return 0; | |
9859 | }); | |
9860 | ||
9861 | vector<DNSRecord> ret; | |
9862 | /* first query for target/A, will pick up the additional record as non-auth / unvalidated */ | |
9863 | sr->setDNSSECValidationRequested(false); | |
9864 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9865 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9866 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
9867 | BOOST_CHECK_EQUAL(ret.size(), 2); | |
9868 | for (const auto& record : ret) { | |
9869 | BOOST_CHECK(record.d_type == QType::RRSIG || record.d_type == QType::A); | |
9870 | } | |
9871 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
9872 | ||
9873 | ret.clear(); | |
9874 | /* ask for the additional record directly, we should not use | |
9875 | the non-auth one and issue a new query, properly validated */ | |
9876 | sr->setDNSSECValidationRequested(true); | |
9877 | res = sr->beginResolve(addTarget, QType(QType::A), QClass::IN, ret); | |
9878 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9879 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
9880 | BOOST_CHECK_EQUAL(ret.size(), 2); | |
9881 | for (const auto& record : ret) { | |
9882 | BOOST_CHECK(record.d_type == QType::RRSIG || record.d_type == QType::A); | |
9883 | } | |
9884 | BOOST_CHECK_EQUAL(queriesCount, 5); | |
9885 | } | |
9886 | ||
f4de85a3 RG |
9887 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_secure) { |
9888 | /* | |
9889 | Validation is optional, and the first query does not ask for it, | |
9890 | so the answer is negatively cached as Indeterminate. | |
9891 | The second query asks for validation, answer should be marked as | |
9892 | Secure. | |
9893 | */ | |
9894 | std::unique_ptr<SyncRes> sr; | |
9895 | initSR(sr, true); | |
9896 | ||
9897 | setDNSSECValidation(sr, DNSSECMode::Process); | |
9898 | ||
9899 | primeHints(); | |
9900 | const DNSName target("com."); | |
9901 | testkeysset_t keys; | |
9902 | ||
9903 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
9904 | luaconfsCopy.dsAnchors.clear(); | |
9905 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
9906 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
9907 | g_luaconfs.setState(luaconfsCopy); | |
9908 | ||
9909 | size_t queriesCount = 0; | |
9910 | ||
0bd2e252 | 9911 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f4de85a3 RG |
9912 | queriesCount++; |
9913 | ||
9914 | DNSName auth = domain; | |
9915 | auth.chopOff(); | |
9916 | ||
9917 | if (type == QType::DS || type == QType::DNSKEY) { | |
9918 | return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); | |
9919 | } | |
9920 | else { | |
9921 | setLWResult(res, RCode::NoError, true, false, true); | |
9922 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
9923 | addRRSIG(keys, res->d_records, domain, 300); | |
9924 | addNSECRecordToLW(domain, DNSName("z."), { QType::NSEC, QType::RRSIG }, 600, res->d_records); | |
9925 | addRRSIG(keys, res->d_records, domain, 1); | |
9926 | return 1; | |
9927 | } | |
9928 | ||
9929 | return 0; | |
9930 | }); | |
9931 | ||
9932 | vector<DNSRecord> ret; | |
9933 | /* first query does not require validation */ | |
9934 | sr->setDNSSECValidationRequested(false); | |
9935 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9936 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9937 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
9938 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
9939 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
b25712fd | 9940 | /* check that the entry has not been negatively cached */ |
28364e4b | 9941 | const NegCache::NegCacheEntry* ne = nullptr; |
b25712fd | 9942 | BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1); |
28364e4b RG |
9943 | BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true); |
9944 | BOOST_CHECK_EQUAL(ne->d_validationState, Indeterminate); | |
9945 | BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1); | |
9946 | BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1); | |
9947 | BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 1); | |
9948 | BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 1); | |
f4de85a3 RG |
9949 | |
9950 | ret.clear(); | |
9951 | /* second one _does_ require validation */ | |
9952 | sr->setDNSSECValidationRequested(true); | |
9953 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
9954 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
9955 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
9956 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
9957 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
b25712fd | 9958 | BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1); |
28364e4b RG |
9959 | BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true); |
9960 | BOOST_CHECK_EQUAL(ne->d_validationState, Secure); | |
9961 | BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1); | |
9962 | BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1); | |
9963 | BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 1); | |
9964 | BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 1); | |
f4de85a3 RG |
9965 | } |
9966 | ||
f5a747bb RG |
9967 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_secure_ds) { |
9968 | /* | |
9969 | Validation is optional, and the first query does not ask for it, | |
9970 | so the answer is negatively cached as Indeterminate. | |
9971 | The second query asks for validation, answer should be marked as | |
9972 | Secure. | |
9973 | The difference with test_dnssec_validation_from_negcache_secure is | |
9974 | that have one more level here, so we are going to look for the proof | |
9975 | that the DS does not exist for the last level. Since there is no cut, | |
9976 | we should accept the fact that the NSEC denies DS and NS both. | |
9977 | */ | |
9978 | std::unique_ptr<SyncRes> sr; | |
9979 | initSR(sr, true); | |
9980 | ||
9981 | setDNSSECValidation(sr, DNSSECMode::Process); | |
9982 | ||
9983 | primeHints(); | |
9984 | const DNSName target("www.com."); | |
9985 | testkeysset_t keys; | |
9986 | ||
9987 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
9988 | luaconfsCopy.dsAnchors.clear(); | |
9989 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
9990 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
9991 | g_luaconfs.setState(luaconfsCopy); | |
9992 | ||
9993 | size_t queriesCount = 0; | |
9994 | ||
0bd2e252 | 9995 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f5a747bb RG |
9996 | queriesCount++; |
9997 | ||
9998 | if (type == QType::DS || type == QType::DNSKEY) { | |
9999 | if (domain == target) { | |
10000 | /* there is no cut */ | |
10001 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false); | |
10002 | } | |
10003 | return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); | |
10004 | } | |
10005 | ||
10006 | return 0; | |
10007 | }); | |
10008 | ||
10009 | vector<DNSRecord> ret; | |
10010 | /* first query does not require validation */ | |
10011 | sr->setDNSSECValidationRequested(false); | |
10012 | int res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret); | |
10013 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
10014 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
10015 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
10016 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
10017 | ||
10018 | ret.clear(); | |
10019 | /* second one _does_ require validation */ | |
10020 | sr->setDNSSECValidationRequested(true); | |
10021 | res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret); | |
10022 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
10023 | BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); | |
10024 | BOOST_REQUIRE_EQUAL(ret.size(), 4); | |
10025 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
10026 | } | |
10027 | ||
f4de85a3 RG |
10028 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_insecure) { |
10029 | /* | |
10030 | Validation is optional, and the first query does not ask for it, | |
10031 | so the answer is negatively cached as Indeterminate. | |
10032 | The second query asks for validation, answer should be marked as | |
10033 | Insecure. | |
10034 | */ | |
10035 | std::unique_ptr<SyncRes> sr; | |
10036 | initSR(sr, true); | |
10037 | ||
10038 | setDNSSECValidation(sr, DNSSECMode::Process); | |
10039 | ||
10040 | primeHints(); | |
10041 | const DNSName target("com."); | |
10042 | testkeysset_t keys; | |
10043 | ||
10044 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
10045 | luaconfsCopy.dsAnchors.clear(); | |
10046 | g_luaconfs.setState(luaconfsCopy); | |
10047 | ||
10048 | size_t queriesCount = 0; | |
10049 | ||
0bd2e252 | 10050 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f4de85a3 RG |
10051 | queriesCount++; |
10052 | ||
10053 | DNSName auth = domain; | |
10054 | auth.chopOff(); | |
10055 | ||
10056 | if (type == QType::DS || type == QType::DNSKEY) { | |
10057 | return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); | |
10058 | } | |
10059 | else { | |
10060 | setLWResult(res, RCode::NoError, true, false, true); | |
10061 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
10062 | return 1; | |
10063 | } | |
10064 | ||
10065 | return 0; | |
10066 | }); | |
10067 | ||
10068 | vector<DNSRecord> ret; | |
10069 | /* first query does not require validation */ | |
10070 | sr->setDNSSECValidationRequested(false); | |
10071 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
10072 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
10073 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
10074 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
10075 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
b25712fd | 10076 | /* check that the entry has not been negatively cached */ |
28364e4b | 10077 | const NegCache::NegCacheEntry* ne = nullptr; |
b25712fd | 10078 | BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1); |
28364e4b RG |
10079 | BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true); |
10080 | BOOST_CHECK_EQUAL(ne->d_validationState, Indeterminate); | |
10081 | BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1); | |
10082 | BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 0); | |
10083 | BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0); | |
10084 | BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0); | |
f4de85a3 RG |
10085 | |
10086 | ret.clear(); | |
10087 | /* second one _does_ require validation */ | |
10088 | sr->setDNSSECValidationRequested(true); | |
10089 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
10090 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
10091 | BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure); | |
10092 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
10093 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
28364e4b RG |
10094 | BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true); |
10095 | BOOST_CHECK_EQUAL(ne->d_validationState, Insecure); | |
10096 | BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1); | |
10097 | BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 0); | |
10098 | BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0); | |
10099 | BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0); | |
f4de85a3 RG |
10100 | } |
10101 | ||
10102 | BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_bogus) { | |
10103 | /* | |
10104 | Validation is optional, and the first query does not ask for it, | |
10105 | so the answer is negatively cached as Indeterminate. | |
10106 | The second query asks for validation, answer should be marked as | |
10107 | Bogus. | |
10108 | */ | |
10109 | std::unique_ptr<SyncRes> sr; | |
10110 | initSR(sr, true); | |
10111 | ||
10112 | setDNSSECValidation(sr, DNSSECMode::Process); | |
10113 | ||
10114 | primeHints(); | |
10115 | const DNSName target("com."); | |
10116 | testkeysset_t keys; | |
10117 | ||
10118 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
10119 | luaconfsCopy.dsAnchors.clear(); | |
10120 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
10121 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
10122 | g_luaconfs.setState(luaconfsCopy); | |
10123 | ||
10124 | size_t queriesCount = 0; | |
10125 | ||
0bd2e252 | 10126 | sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
f4de85a3 RG |
10127 | queriesCount++; |
10128 | ||
10129 | DNSName auth = domain; | |
10130 | auth.chopOff(); | |
10131 | ||
10132 | if (type == QType::DS || type == QType::DNSKEY) { | |
10133 | return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); | |
10134 | } | |
10135 | else { | |
10136 | setLWResult(res, RCode::NoError, true, false, true); | |
10137 | addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); | |
10138 | addRRSIG(keys, res->d_records, domain, 300); | |
10139 | /* no denial */ | |
10140 | return 1; | |
10141 | } | |
10142 | ||
10143 | return 0; | |
10144 | }); | |
10145 | ||
10146 | vector<DNSRecord> ret; | |
10147 | /* first query does not require validation */ | |
10148 | sr->setDNSSECValidationRequested(false); | |
10149 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
10150 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
10151 | BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate); | |
10152 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
10153 | BOOST_CHECK_EQUAL(queriesCount, 1); | |
28364e4b | 10154 | const NegCache::NegCacheEntry* ne = nullptr; |
b25712fd | 10155 | BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1); |
28364e4b RG |
10156 | BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true); |
10157 | BOOST_CHECK_EQUAL(ne->d_validationState, Indeterminate); | |
10158 | BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1); | |
10159 | BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1); | |
10160 | BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0); | |
10161 | BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0); | |
f4de85a3 RG |
10162 | |
10163 | ret.clear(); | |
10164 | /* second one _does_ require validation */ | |
10165 | sr->setDNSSECValidationRequested(true); | |
10166 | res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
10167 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
10168 | BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); | |
10169 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
10170 | BOOST_CHECK_EQUAL(queriesCount, 4); | |
28364e4b RG |
10171 | BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true); |
10172 | BOOST_CHECK_EQUAL(ne->d_validationState, Bogus); | |
10173 | BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1); | |
10174 | BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1); | |
10175 | BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0); | |
10176 | BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0); | |
f4de85a3 RG |
10177 | } |
10178 | ||
429ce1da PL |
10179 | BOOST_AUTO_TEST_CASE(test_lowercase_outgoing) { |
10180 | g_lowercaseOutgoing = true; | |
10181 | std::unique_ptr<SyncRes> sr; | |
10182 | initSR(sr); | |
10183 | ||
10184 | primeHints(); | |
10185 | ||
10186 | vector<DNSName> sentOutQnames; | |
10187 | ||
10188 | const DNSName target("WWW.POWERDNS.COM"); | |
10189 | const DNSName cname("WWW.PowerDNS.org"); | |
10190 | ||
0bd2e252 | 10191 | sr->setAsyncCallback([target, cname, &sentOutQnames](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
429ce1da PL |
10192 | |
10193 | sentOutQnames.push_back(domain); | |
10194 | ||
10195 | if (isRootServer(ip)) { | |
10196 | if (domain == target) { | |
10197 | setLWResult(res, 0, false, false, true); | |
10198 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); | |
10199 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
10200 | return 1; | |
10201 | } | |
10202 | if (domain == cname) { | |
10203 | setLWResult(res, 0, false, false, true); | |
10204 | addRecordToLW(res, "powerdns.org.", QType::NS, "pdns-public-ns1.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800); | |
10205 | addRecordToLW(res, "pdns-public-ns1.powerdns.org.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); | |
10206 | return 1; | |
10207 | } | |
10208 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
10209 | if (domain == target) { | |
10210 | setLWResult(res, 0, true, false, false); | |
10211 | addRecordToLW(res, domain, QType::CNAME, cname.toString()); | |
10212 | return 1; | |
10213 | } | |
10214 | } else if (ip == ComboAddress("192.0.2.2:53")) { | |
10215 | if (domain == cname) { | |
10216 | setLWResult(res, 0, true, false, false); | |
10217 | addRecordToLW(res, domain, QType::A, "127.0.0.1"); | |
10218 | return 1; | |
10219 | } | |
10220 | } | |
10221 | return 0; | |
10222 | }); | |
10223 | ||
10224 | vector<DNSRecord> ret; | |
10225 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
10226 | ||
10227 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
10228 | ||
10229 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
10230 | BOOST_CHECK_EQUAL(ret[0].d_content->getZoneRepresentation(), cname.toString()); | |
10231 | ||
10232 | BOOST_REQUIRE_EQUAL(sentOutQnames.size(), 4); | |
10233 | BOOST_CHECK_EQUAL(sentOutQnames[0].toString(), target.makeLowerCase().toString()); | |
10234 | BOOST_CHECK_EQUAL(sentOutQnames[1].toString(), target.makeLowerCase().toString()); | |
10235 | BOOST_CHECK_EQUAL(sentOutQnames[2].toString(), cname.makeLowerCase().toString()); | |
10236 | BOOST_CHECK_EQUAL(sentOutQnames[3].toString(), cname.makeLowerCase().toString()); | |
10237 | ||
10238 | g_lowercaseOutgoing = false; | |
10239 | } | |
10240 | ||
4d787d30 PL |
10241 | BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo) { |
10242 | std::unique_ptr<SyncRes> sr; | |
10243 | initSR(sr, true); | |
10244 | ||
10245 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
10246 | ||
10247 | primeHints(); | |
10248 | const DNSName target("com."); | |
10249 | testkeysset_t keys, keys2; | |
10250 | ||
10251 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
10252 | luaconfsCopy.dsAnchors.clear(); | |
10253 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
10254 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
10255 | g_luaconfs.setState(luaconfsCopy); | |
10256 | ||
10257 | // As testkeysset_t only contains one DSRecordContent, create another one with a different hash algo | |
10258 | generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA1, keys2); | |
10259 | // But add the existing root key otherwise no RRSIG can be created | |
10260 | auto rootkey = keys.find(g_rootdnsname); | |
10261 | keys2.insert(*rootkey); | |
10262 | ||
0bd2e252 | 10263 | sr->setAsyncCallback([target, keys, keys2](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
4d787d30 PL |
10264 | DNSName auth = domain; |
10265 | auth.chopOff(); | |
10266 | if (type == QType::DS || type == QType::DNSKEY) { | |
10267 | if (domain == target) { | |
10268 | if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys2) != 1) { | |
10269 | return 0; | |
10270 | } | |
10271 | } | |
10272 | return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); | |
10273 | } | |
10274 | return 0; | |
10275 | }); | |
10276 | ||
10277 | dsmap_t ds; | |
10278 | auto state = sr->getDSRecords(target, ds, false, 0, false); | |
10279 | BOOST_CHECK_EQUAL(state, Secure); | |
10280 | BOOST_REQUIRE_EQUAL(ds.size(), 1); | |
10281 | for (const auto& i : ds) { | |
10282 | BOOST_CHECK_EQUAL(i.d_digesttype, DNSSECKeeper::SHA256); | |
10283 | } | |
10284 | } | |
10285 | ||
10286 | BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo_all_sha) { | |
10287 | std::unique_ptr<SyncRes> sr; | |
10288 | initSR(sr, true); | |
10289 | ||
10290 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
10291 | ||
10292 | primeHints(); | |
10293 | const DNSName target("com."); | |
10294 | testkeysset_t keys, keys2, keys3; | |
10295 | ||
10296 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
10297 | luaconfsCopy.dsAnchors.clear(); | |
10298 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
10299 | generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
10300 | g_luaconfs.setState(luaconfsCopy); | |
10301 | ||
10302 | // As testkeysset_t only contains one DSRecordContent, create another one with a different hash algo | |
10303 | generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA1, keys2); | |
10304 | // But add the existing root key otherwise no RRSIG can be created | |
10305 | auto rootkey = keys.find(g_rootdnsname); | |
10306 | keys2.insert(*rootkey); | |
10307 | ||
10308 | generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA384, keys3); | |
10309 | // But add the existing root key otherwise no RRSIG can be created | |
10310 | keys3.insert(*rootkey); | |
10311 | ||
0bd2e252 | 10312 | sr->setAsyncCallback([target, keys, keys2, keys3](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
4d787d30 PL |
10313 | DNSName auth = domain; |
10314 | auth.chopOff(); | |
10315 | if (type == QType::DS || type == QType::DNSKEY) { | |
10316 | if (domain == target) { | |
10317 | if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys2) != 1) { | |
10318 | return 0; | |
10319 | } | |
10320 | if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys3) != 1) { | |
10321 | return 0; | |
10322 | } | |
10323 | } | |
10324 | return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); | |
10325 | } | |
10326 | return 0; | |
10327 | }); | |
10328 | ||
10329 | dsmap_t ds; | |
10330 | auto state = sr->getDSRecords(target, ds, false, 0, false); | |
10331 | BOOST_CHECK_EQUAL(state, Secure); | |
10332 | BOOST_REQUIRE_EQUAL(ds.size(), 1); | |
10333 | for (const auto& i : ds) { | |
10334 | BOOST_CHECK_EQUAL(i.d_digesttype, DNSSECKeeper::SHA384); | |
10335 | } | |
10336 | } | |
10337 | ||
10338 | BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo_two_highest) { | |
10339 | std::unique_ptr<SyncRes> sr; | |
10340 | initSR(sr, true); | |
10341 | ||
10342 | setDNSSECValidation(sr, DNSSECMode::ValidateAll); | |
10343 | ||
10344 | primeHints(); | |
10345 | const DNSName target("com."); | |
10346 | testkeysset_t keys, keys2, keys3; | |
10347 | ||
10348 | auto luaconfsCopy = g_luaconfs.getCopy(); | |
10349 | luaconfsCopy.dsAnchors.clear(); | |
10350 | generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); | |
10351 | generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); | |
10352 | g_luaconfs.setState(luaconfsCopy); | |
10353 | ||
10354 | // As testkeysset_t only contains one DSRecordContent, create another one with a different hash algo | |
10355 | generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys2); | |
10356 | // But add the existing root key otherwise no RRSIG can be created | |
10357 | auto rootkey = keys.find(g_rootdnsname); | |
10358 | keys2.insert(*rootkey); | |
10359 | ||
10360 | generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA1, keys3); | |
10361 | // But add the existing root key otherwise no RRSIG can be created | |
10362 | keys3.insert(*rootkey); | |
10363 | ||
0bd2e252 | 10364 | sr->setAsyncCallback([target, keys, keys2, keys3](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { |
4d787d30 PL |
10365 | DNSName auth = domain; |
10366 | auth.chopOff(); | |
10367 | if (type == QType::DS || type == QType::DNSKEY) { | |
10368 | if (domain == target) { | |
10369 | if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys2) != 1) { | |
10370 | return 0; | |
10371 | } | |
10372 | if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys3) != 1) { | |
10373 | return 0; | |
10374 | } | |
10375 | } | |
10376 | return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); | |
10377 | } | |
10378 | return 0; | |
10379 | }); | |
10380 | ||
10381 | dsmap_t ds; | |
10382 | auto state = sr->getDSRecords(target, ds, false, 0, false); | |
10383 | BOOST_CHECK_EQUAL(state, Secure); | |
10384 | BOOST_REQUIRE_EQUAL(ds.size(), 2); | |
10385 | for (const auto& i : ds) { | |
10386 | BOOST_CHECK_EQUAL(i.d_digesttype, DNSSECKeeper::SHA256); | |
10387 | } | |
10388 | } | |
10389 | ||
d9c32b52 RG |
10390 | BOOST_AUTO_TEST_CASE(test_cname_plus_authority_ns_ttl) { |
10391 | std::unique_ptr<SyncRes> sr; | |
10392 | initSR(sr); | |
10393 | ||
10394 | primeHints(); | |
10395 | ||
10396 | const DNSName target("cname.powerdns.com."); | |
10397 | const DNSName cnameTarget("cname-target.powerdns.com"); | |
10398 | size_t queriesCount = 0; | |
10399 | ||
10400 | sr->setAsyncCallback([target, cnameTarget, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { | |
10401 | ||
10402 | queriesCount++; | |
10403 | ||
10404 | if (isRootServer(ip)) { | |
10405 | setLWResult(res, 0, false, false, true); | |
10406 | addRecordToLW(res, DNSName("powerdns.com"), QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 42); | |
10407 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
10408 | return 1; | |
10409 | } else if (ip == ComboAddress("192.0.2.1:53")) { | |
10410 | if (domain == target) { | |
10411 | setLWResult(res, 0, true, false, false); | |
10412 | addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString()); | |
10413 | addRecordToLW(res, cnameTarget, QType::A, "192.0.2.2"); | |
10414 | addRecordToLW(res, DNSName("powerdns.com."), QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); | |
fc8c01f4 | 10415 | addRecordToLW(res, DNSName("a.gtld-servers.net."), QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); |
d9c32b52 RG |
10416 | return 1; |
10417 | } | |
10418 | else if (domain == cnameTarget) { | |
10419 | setLWResult(res, 0, true, false, false); | |
10420 | addRecordToLW(res, domain, QType::A, "192.0.2.2"); | |
10421 | } | |
10422 | ||
10423 | return 1; | |
10424 | } | |
10425 | ||
10426 | return 0; | |
10427 | }); | |
10428 | ||
10429 | const time_t now = sr->getNow().tv_sec; | |
10430 | vector<DNSRecord> ret; | |
10431 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
10432 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
10433 | BOOST_REQUIRE_EQUAL(ret.size(), 2); | |
10434 | BOOST_CHECK(ret[0].d_type == QType::CNAME); | |
10435 | BOOST_CHECK_EQUAL(ret[0].d_name, target); | |
10436 | BOOST_CHECK(ret[1].d_type == QType::A); | |
10437 | BOOST_CHECK_EQUAL(ret[1].d_name, cnameTarget); | |
10438 | ||
10439 | /* check that the NS in authority has not replaced the one in the cache | |
10440 | with auth=0 (or at least has not raised the TTL since it could otherwise | |
10441 | be used to create a never-ending ghost zone even after the NS have been | |
10442 | changed in the parent. | |
d9c32b52 RG |
10443 | */ |
10444 | const ComboAddress who; | |
10445 | vector<DNSRecord> cached; | |
10446 | bool wasAuth = false; | |
10447 | ||
10448 | auto ttl = t_RC->get(now, DNSName("powerdns.com."), QType(QType::NS), false, &cached, who, nullptr, nullptr, nullptr, nullptr, &wasAuth); | |
10449 | BOOST_REQUIRE_GE(ttl, 1); | |
10450 | BOOST_REQUIRE_LE(ttl, 42); | |
10451 | BOOST_CHECK_EQUAL(cached.size(), 1); | |
10452 | BOOST_CHECK_EQUAL(wasAuth, false); | |
10453 | ||
10454 | cached.clear(); | |
fc8c01f4 RG |
10455 | |
10456 | /* Also check that the the part in additional is still not auth */ | |
10457 | BOOST_REQUIRE_GE(t_RC->get(now, DNSName("a.gtld-servers.net."), QType(QType::A), false, &cached, who, nullptr, nullptr, nullptr, nullptr, &wasAuth), -1); | |
d9c32b52 RG |
10458 | BOOST_CHECK_EQUAL(cached.size(), 1); |
10459 | BOOST_CHECK_EQUAL(wasAuth, false); | |
10460 | } | |
10461 | ||
8416631b RG |
10462 | BOOST_AUTO_TEST_CASE(test_records_sanitization_general) { |
10463 | std::unique_ptr<SyncRes> sr; | |
10464 | initSR(sr); | |
10465 | ||
10466 | primeHints(); | |
10467 | ||
10468 | const DNSName target("sanitization.powerdns.com."); | |
10469 | ||
10470 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { | |
10471 | ||
10472 | setLWResult(res, 0, true, false, true); | |
10473 | addRecordToLW(res, domain, QType::A, "192.0.2.1"); | |
10474 | /* should be scrubbed because it doesn't match the QType */ | |
10475 | addRecordToLW(res, domain, QType::AAAA, "2001:db8::1"); | |
10476 | /* should be scrubbed because the DNAME is not relevant to the qname */ | |
10477 | addRecordToLW(res, DNSName("not-sanitization.powerdns.com."), QType::DNAME, "not-sanitization.powerdns.net."); | |
10478 | /* should be scrubbed because a MX has no reason to show up in AUTHORITY */ | |
10479 | addRecordToLW(res, domain, QType::MX, "10 mx.powerdns.com.", DNSResourceRecord::AUTHORITY); | |
10480 | /* should be scrubbed because the SOA name is not relevant to the qname */ | |
10481 | addRecordToLW(res, DNSName("not-sanitization.powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY); | |
10482 | /* should be scrubbed because types other than A or AAAA are not really supposed to show up in ADDITIONAL */ | |
10483 | addRecordToLW(res, domain, QType::TXT, "TXT", DNSResourceRecord::ADDITIONAL); | |
10484 | /* should be scrubbed because it doesn't match any of the accepted names in this answer (mostly 'domain') */ | |
10485 | addRecordToLW(res, DNSName("powerdns.com."), QType::AAAA, "2001:db8::1", DNSResourceRecord::ADDITIONAL); | |
10486 | return 1; | |
8416631b RG |
10487 | }); |
10488 | ||
10489 | const time_t now = sr->getNow().tv_sec; | |
10490 | ||
10491 | vector<DNSRecord> ret; | |
10492 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
10493 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
10494 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
10495 | ||
10496 | const ComboAddress who; | |
10497 | vector<DNSRecord> cached; | |
10498 | BOOST_CHECK_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0); | |
10499 | cached.clear(); | |
10500 | BOOST_CHECK_LT(t_RC->get(now, target, QType(QType::AAAA), true, &cached, who), 0); | |
10501 | BOOST_CHECK_EQUAL(t_RC->get(now, DNSName("not-sanitization.powerdns.com."), QType(QType::DNAME), true, &cached, who), -1); | |
10502 | BOOST_CHECK_LT(t_RC->get(now, target, QType(QType::MX), true, &cached, who), 0); | |
10503 | BOOST_CHECK_EQUAL(t_RC->get(now, DNSName("not-sanitization.powerdns.com."), QType(QType::SOA), true, &cached, who), -1); | |
10504 | BOOST_CHECK_LT(t_RC->get(now, target, QType(QType::TXT), false, &cached, who), 0); | |
10505 | BOOST_CHECK_EQUAL(t_RC->get(now, DNSName("powerdns.com."), QType(QType::AAAA), false, &cached, who), -1); | |
10506 | } | |
10507 | ||
10508 | BOOST_AUTO_TEST_CASE(test_records_sanitization_keep_relevant_additional_aaaa) { | |
10509 | std::unique_ptr<SyncRes> sr; | |
10510 | initSR(sr); | |
10511 | ||
10512 | primeHints(); | |
10513 | ||
10514 | const DNSName target("sanitization.powerdns.com."); | |
10515 | ||
10516 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { | |
10517 | ||
10518 | setLWResult(res, 0, true, false, true); | |
10519 | addRecordToLW(res, domain, QType::A, "192.0.2.1"); | |
10520 | addRecordToLW(res, domain, QType::AAAA, "2001:db8::1", DNSResourceRecord::ADDITIONAL); | |
10521 | return 1; | |
8416631b RG |
10522 | }); |
10523 | ||
10524 | const time_t now = sr->getNow().tv_sec; | |
10525 | ||
10526 | vector<DNSRecord> ret; | |
10527 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
10528 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
10529 | BOOST_REQUIRE_EQUAL(ret.size(), 1); | |
10530 | ||
10531 | const ComboAddress who; | |
10532 | vector<DNSRecord> cached; | |
10533 | BOOST_CHECK_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0); | |
10534 | cached.clear(); | |
10535 | /* not auth since it was in the additional section */ | |
10536 | BOOST_CHECK_LT(t_RC->get(now, target, QType(QType::AAAA), true, &cached, who), 0); | |
10537 | BOOST_CHECK_GT(t_RC->get(now, target, QType(QType::AAAA), false, &cached, who), 0); | |
10538 | } | |
10539 | ||
10540 | BOOST_AUTO_TEST_CASE(test_records_sanitization_keep_glue) { | |
10541 | std::unique_ptr<SyncRes> sr; | |
10542 | initSR(sr); | |
10543 | ||
10544 | primeHints(); | |
10545 | ||
10546 | const DNSName target("sanitization-glue.powerdns.com."); | |
10547 | ||
10548 | size_t queriesCount = 0; | |
10549 | ||
10550 | sr->setAsyncCallback([target,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { | |
10551 | ||
10552 | queriesCount++; | |
10553 | ||
10554 | if (isRootServer(ip)) { | |
10555 | setLWResult(res, 0, false, false, true); | |
10556 | addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800); | |
10557 | addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
10558 | addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600); | |
10559 | return 1; | |
10560 | } | |
10561 | else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) { | |
10562 | setLWResult(res, 0, false, false, true); | |
10563 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); | |
10564 | addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800); | |
10565 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800); | |
10566 | addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800); | |
10567 | addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800); | |
10568 | addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800); | |
10569 | return 1; | |
10570 | } | |
10571 | else if (ip == ComboAddress("192.0.2.2:53") || ip == ComboAddress("192.0.2.3:53") || ip == ComboAddress("[2001:DB8::2]:53") || ip == ComboAddress("[2001:DB8::3]:53")) { | |
10572 | setLWResult(res, 0, true, false, true); | |
10573 | addRecordToLW(res, target, QType::A, "192.0.2.4"); | |
10574 | return 1; | |
10575 | } | |
10576 | else { | |
10577 | return 0; | |
10578 | } | |
10579 | }); | |
10580 | ||
10581 | const time_t now = sr->getNow().tv_sec; | |
10582 | ||
10583 | vector<DNSRecord> ret; | |
10584 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
10585 | BOOST_CHECK_EQUAL(res, RCode::NoError); | |
10586 | BOOST_CHECK_EQUAL(ret.size(), 1); | |
10587 | BOOST_CHECK_EQUAL(queriesCount, 3); | |
10588 | ||
10589 | const ComboAddress who; | |
10590 | vector<DNSRecord> cached; | |
10591 | BOOST_CHECK_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0); | |
10592 | cached.clear(); | |
10593 | ||
10594 | BOOST_CHECK_GT(t_RC->get(now, DNSName("com."), QType(QType::NS), false, &cached, who), 0); | |
10595 | BOOST_CHECK_GT(t_RC->get(now, DNSName("a.gtld-servers.net."), QType(QType::A), false, &cached, who), 0); | |
10596 | BOOST_CHECK_GT(t_RC->get(now, DNSName("a.gtld-servers.net."), QType(QType::AAAA), false, &cached, who), 0); | |
10597 | BOOST_CHECK_GT(t_RC->get(now, DNSName("powerdns.com."), QType(QType::NS), false, &cached, who), 0); | |
10598 | BOOST_CHECK_GT(t_RC->get(now, DNSName("pdns-public-ns1.powerdns.com."), QType(QType::A), false, &cached, who), 0); | |
10599 | BOOST_CHECK_GT(t_RC->get(now, DNSName("pdns-public-ns1.powerdns.com."), QType(QType::AAAA), false, &cached, who), 0); | |
10600 | BOOST_CHECK_GT(t_RC->get(now, DNSName("pdns-public-ns2.powerdns.com."), QType(QType::A), false, &cached, who), 0); | |
10601 | BOOST_CHECK_GT(t_RC->get(now, DNSName("pdns-public-ns2.powerdns.com."), QType(QType::AAAA), false, &cached, who), 0); | |
10602 | } | |
10603 | ||
10604 | BOOST_AUTO_TEST_CASE(test_records_sanitization_scrubs_ns_nxd) { | |
10605 | std::unique_ptr<SyncRes> sr; | |
10606 | initSR(sr); | |
10607 | ||
10608 | primeHints(); | |
10609 | ||
10610 | const DNSName target("sanitization-ns-nxd.powerdns.com."); | |
10611 | ||
10612 | sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) { | |
10613 | ||
10614 | setLWResult(res, RCode::NXDomain, true, false, true); | |
10615 | addRecordToLW(res, "powerdns.com.", QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY); | |
10616 | addRecordToLW(res, "powerdns.com.", QType::NS, "spoofed.ns.", DNSResourceRecord::AUTHORITY, 172800); | |
10617 | addRecordToLW(res, "spoofed.ns.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); | |
10618 | addRecordToLW(res, "spoofed.ns.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600); | |
10619 | return 1; | |
10620 | }); | |
10621 | ||
10622 | const time_t now = sr->getNow().tv_sec; | |
10623 | ||
10624 | vector<DNSRecord> ret; | |
10625 | int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); | |
10626 | BOOST_CHECK_EQUAL(res, RCode::NXDomain); | |
10627 | BOOST_CHECK_EQUAL(ret.size(), 1); | |
10628 | ||
10629 | const ComboAddress who; | |
10630 | vector<DNSRecord> cached; | |
10631 | BOOST_CHECK_GT(t_RC->get(now, DNSName("powerdns.com."), QType(QType::SOA), true, &cached, who), 0); | |
10632 | cached.clear(); | |
10633 | ||
10634 | BOOST_CHECK_LT(t_RC->get(now, DNSName("powerdns.com."), QType(QType::NS), false, &cached, who), 0); | |
10635 | BOOST_CHECK_LT(t_RC->get(now, DNSName("spoofed.ns."), QType(QType::A), false, &cached, who), 0); | |
10636 | BOOST_CHECK_LT(t_RC->get(now, DNSName("spoofed.ns."), QType(QType::AAAA), false, &cached, who), 0); | |
10637 | } | |
10638 | ||
d6e797b8 RG |
10639 | /* |
10640 | // cerr<<"asyncresolve called to ask "<<ip.toStringWithPort()<<" about "<<domain.toString()<<" / "<<QType(type).getName()<<" over "<<(doTCP ? "TCP" : "UDP")<<" (rd: "<<sendRDQuery<<", EDNS0 level: "<<EDNS0Level<<")"<<endl; | |
10641 | ||
648bcbd1 | 10642 | - check out of band support |
d6e797b8 | 10643 | |
648bcbd1 | 10644 | - check preoutquery |
d6e797b8 | 10645 | |
30ee601a RG |
10646 | */ |
10647 | ||
10648 | BOOST_AUTO_TEST_SUITE_END() |