]>
Commit | Line | Data |
---|---|---|
11886ab9 PL |
1 | import dns |
2 | from recursortests import RecursorTest | |
3 | import os | |
4 | ||
5 | class BasicDNSSEC(RecursorTest): | |
6 | __test__ = False | |
7 | _config_template = """dnssec=validate""" | |
8 | ||
9 | @classmethod | |
10 | def setUp(cls): | |
11 | confdir = os.path.join('configs', cls._confdir) | |
12 | cls.wipeRecursorCache(confdir) | |
13 | ||
11886ab9 PL |
14 | def testSecureAnswer(self): |
15 | res = self.sendQuery('ns.secure.example.', 'A') | |
16 | expected = dns.rrset.from_text('ns.secure.example.', 0, dns.rdataclass.IN, 'A', '{prefix}.10'.format(prefix=self._PREFIX)) | |
17 | ||
18 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
19 | self.assertMatchingRRSIGInAnswer(res, expected) | |
20 | self.assertMessageIsAuthenticated(res) | |
21 | ||
22 | def testInsecureAnswer(self): | |
23 | res = self.sendQuery('node1.insecure.example.', 'A') | |
24 | ||
25 | self.assertNoRRSIGsInAnswer(res) | |
26 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
27 | ||
28 | def testBogusAnswer(self): | |
29 | res = self.sendQuery('ted.bogus.example.', 'A') | |
30 | ||
31 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
32 | self.assertAnswerEmpty(res) | |
33 | ||
34 | def testSecureNXDOMAIN(self): | |
35 | res = self.sendQuery('nxdomain.secure.example.', 'A') | |
36 | ||
37 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
38 | ||
39 | def testInsecureNXDOMAIN(self): | |
40 | res = self.sendQuery('nxdomain.insecure.example.', 'A') | |
41 | ||
42 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
43 | ||
44 | def testBogusNXDOMAIN(self): | |
45 | res = self.sendQuery('nxdomain.bogus.example.', 'A') | |
46 | ||
47 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
48 | ||
49 | def testSecureOptoutAnswer(self): | |
50 | res = self.sendQuery('node1.secure.optout.example.', 'A') | |
51 | expected = dns.rrset.from_text('node1.secure.optout.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.8') | |
52 | ||
53 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
54 | self.assertMatchingRRSIGInAnswer(res, expected) | |
55 | self.assertMessageIsAuthenticated(res) | |
56 | ||
57 | def testInsecureOptoutAnswer(self): | |
58 | res = self.sendQuery('node1.insecure.optout.example.', 'A') | |
59 | ||
60 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
61 | self.assertNoRRSIGsInAnswer(res) | |
46419ee3 PL |
62 | |
63 | def testSecureSubtreeInZoneAnswer(self): | |
64 | res = self.sendQuery('host1.sub.secure.example.', 'A') | |
65 | expected = dns.rrset.from_text('host1.sub.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.11') | |
66 | ||
67 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
68 | self.assertMatchingRRSIGInAnswer(res, expected) | |
69 | self.assertMessageIsAuthenticated(res) | |
70 | ||
71 | def testSecureSubtreeInZoneNXDOMAIN(self): | |
72 | res = self.sendQuery('host2.sub.secure.example.', 'A') | |
73 | ||
74 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
75 | self.assertMessageIsAuthenticated(res) | |
fdb27cb2 PL |
76 | |
77 | def testSecureWildcardAnswer(self): | |
78 | res = self.sendQuery('something.wildcard.secure.example.', 'A') | |
79 | expected = dns.rrset.from_text('something.wildcard.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.10') | |
80 | ||
81 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
82 | self.assertMatchingRRSIGInAnswer(res, expected) | |
83 | self.assertMessageIsAuthenticated(res) | |
52033c6f PL |
84 | |
85 | def testSecureCNAMEWildCardAnswer(self): | |
86 | res = self.sendQuery('something.cnamewildcard.secure.example.', 'A') | |
87 | expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
88 | expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2') | |
89 | ||
90 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
91 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
92 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
93 | self.assertMessageIsAuthenticated(res) | |
94 | ||
95 | def testSecureCNAMEWildCardNXDOMAIN(self): | |
a0fdbef7 RG |
96 | # the answer to this query reaches the UDP truncation threshold, so let's use TCP |
97 | res = self.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A', useTCP=True) | |
52033c6f PL |
98 | expectedCNAME = dns.rrset.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'doesntexist.secure.example.') |
99 | ||
100 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
101 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
102 | self.assertMessageIsAuthenticated(res) | |
05537f80 PL |
103 | |
104 | def testSecureNoData(self): | |
105 | res = self.sendQuery('host1.secure.example.', 'AAAA') | |
106 | ||
107 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
108 | self.assertAnswerEmpty(res) | |
109 | self.assertAuthorityHasSOA(res) | |
110 | self.assertMessageIsAuthenticated(res) | |
111 | ||
112 | def testSecureCNAMENoData(self): | |
113 | res = self.sendQuery('cname.secure.example.', 'AAAA') | |
114 | expectedCNAME = dns.rrset.from_text('cname.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
115 | ||
116 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
117 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
118 | self.assertAuthorityHasSOA(res) | |
119 | self.assertMessageIsAuthenticated(res) | |
120 | ||
121 | def testSecureWildCardNoData(self): | |
122 | res = self.sendQuery('something.cnamewildcard.secure.example.', 'AAAA') | |
123 | expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
124 | ||
125 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
126 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
127 | self.assertAuthorityHasSOA(res) | |
128 | self.assertMessageIsAuthenticated(res) | |
6552b37b PL |
129 | |
130 | def testInsecureToSecureCNAMEAnswer(self): | |
131 | res = self.sendQuery('cname-to-secure.insecure.example.', 'A') | |
132 | expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2') | |
133 | expectedCNAME = dns.rrset.from_text('cname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
134 | ||
135 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
136 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
137 | self.assertRRsetInAnswer(res, expectedCNAME) | |
138 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
139 | ||
140 | def testSecureToInsecureCNAMEAnswer(self): | |
141 | res = self.sendQuery('cname-to-insecure.secure.example.', 'A') | |
142 | expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6') | |
143 | expectedCNAME = dns.rrset.from_text('cname-to-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.secure.example.') | |
144 | ||
145 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
146 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
147 | self.assertRRsetInAnswer(res, expectedA) | |
148 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
149 | ||
9516e835 PL |
150 | def testSecureDNAMEToSecureAnswer(self): |
151 | res = self.sendQuery('host1.dname-secure.secure.example.', 'A') | |
152 | expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') | |
153 | expectedCNAME = dns.rrset.from_text('host1.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.') | |
154 | expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21') | |
155 | ||
156 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
157 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO']) | |
158 | self.assertRRsetInAnswer(res, expectedA) | |
159 | self.assertRRsetInAnswer(res, expectedCNAME) | |
160 | self.assertRRsetInAnswer(res, expectedDNAME) | |
161 | self.assertMatchingRRSIGInAnswer(res, expectedDNAME) | |
162 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
163 | ||
164 | def testSecureDNAMEToSecureNXDomain(self): | |
165 | res = self.sendQuery('nxd.dname-secure.secure.example.', 'A') | |
166 | expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') | |
167 | expectedCNAME = dns.rrset.from_text('nxd.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.') | |
168 | ||
169 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
170 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO']) | |
171 | self.assertRRsetInAnswer(res, expectedCNAME) | |
172 | self.assertRRsetInAnswer(res, expectedDNAME) | |
173 | self.assertMatchingRRSIGInAnswer(res, expectedDNAME) | |
174 | ||
175 | def testSecureDNAMEToInsecureAnswer(self): | |
176 | res = self.sendQuery('node1.dname-insecure.secure.example.', 'A') | |
177 | expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.') | |
178 | expectedCNAME = dns.rrset.from_text('node1.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.') | |
179 | expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6') | |
180 | ||
181 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
182 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
183 | self.assertRRsetInAnswer(res, expectedA) | |
184 | self.assertRRsetInAnswer(res, expectedCNAME) | |
185 | self.assertRRsetInAnswer(res, expectedDNAME) | |
186 | self.assertMatchingRRSIGInAnswer(res, expectedDNAME) | |
187 | ||
188 | def testSecureDNAMEToInsecureNXDomain(self): | |
189 | res = self.sendQuery('nxd.dname-insecure.secure.example.', 'A') | |
190 | expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.') | |
191 | expectedCNAME = dns.rrset.from_text('nxd.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.insecure.example.') | |
192 | ||
193 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
194 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
195 | self.assertRRsetInAnswer(res, expectedCNAME) | |
196 | self.assertRRsetInAnswer(res, expectedDNAME) | |
197 | self.assertMatchingRRSIGInAnswer(res, expectedDNAME) | |
198 | ||
199 | def testSecureDNAMEToBogusAnswer(self): | |
200 | res = self.sendQuery('ted.dname-bogus.secure.example.', 'A') | |
201 | ||
202 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
203 | self.assertAnswerEmpty(res) | |
204 | ||
205 | def testSecureDNAMEToBogusNXDomain(self): | |
206 | res = self.sendQuery('nxd.dname-bogus.secure.example.', 'A') | |
207 | ||
208 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
209 | self.assertAnswerEmpty(res) | |
210 | ||
211 | def testInsecureDNAMEtoSecureAnswer(self): | |
212 | res = self.sendQuery('host1.dname-to-secure.insecure.example.', 'A') | |
213 | expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') | |
214 | expectedCNAME = dns.rrset.from_text('host1.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.') | |
215 | expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21') | |
216 | ||
217 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
218 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
219 | self.assertRRsetInAnswer(res, expectedA) | |
220 | self.assertRRsetInAnswer(res, expectedCNAME) | |
221 | self.assertRRsetInAnswer(res, expectedDNAME) | |
222 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
223 | ||
224 | def testSecureDNAMEToSecureCNAMEAnswer(self): | |
225 | res = self.sendQuery('cname-to-secure.dname-secure.secure.example.', 'A') | |
226 | ||
227 | expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') | |
228 | expectedCNAME1 = dns.rrset.from_text('cname-to-secure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-secure.dname-secure.example.') | |
229 | expectedCNAME2 = dns.rrset.from_text('cname-to-secure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
230 | expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2') | |
231 | ||
232 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
233 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO']) | |
234 | self.assertRRsetInAnswer(res, expectedA) | |
235 | self.assertRRsetInAnswer(res, expectedCNAME1) | |
236 | self.assertRRsetInAnswer(res, expectedCNAME2) | |
237 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME2) | |
238 | self.assertRRsetInAnswer(res, expectedDNAME) | |
239 | self.assertMatchingRRSIGInAnswer(res, expectedDNAME) | |
240 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
241 | ||
242 | def testSecureDNAMEToInsecureCNAMEAnswer(self): | |
243 | res = self.sendQuery('cname-to-insecure.dname-secure.secure.example.', 'A') | |
244 | ||
245 | expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') | |
246 | expectedCNAME1 = dns.rrset.from_text('cname-to-insecure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-insecure.dname-secure.example.') | |
247 | expectedCNAME2 = dns.rrset.from_text('cname-to-insecure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.') | |
248 | expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6') | |
249 | ||
250 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
251 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
252 | self.assertRRsetInAnswer(res, expectedA) | |
253 | self.assertRRsetInAnswer(res, expectedCNAME1) | |
254 | self.assertRRsetInAnswer(res, expectedCNAME2) | |
255 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME2) | |
256 | self.assertRRsetInAnswer(res, expectedDNAME) | |
257 | self.assertMatchingRRSIGInAnswer(res, expectedDNAME) | |
258 | ||
259 | def testSecureDNAMEToBogusCNAMEAnswer(self): | |
260 | res = self.sendQuery('cname-to-bogus.dname-secure.secure.example.', 'A') | |
261 | ||
262 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
263 | self.assertAnswerEmpty(res) | |
264 | ||
265 | def testInsecureDNAMEtoSecureNXDomain(self): | |
266 | res = self.sendQuery('nxd.dname-to-secure.insecure.example.', 'A') | |
267 | expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') | |
268 | expectedCNAME = dns.rrset.from_text('nxd.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.') | |
269 | ||
270 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
271 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
272 | self.assertRRsetInAnswer(res, expectedCNAME) | |
273 | self.assertRRsetInAnswer(res, expectedDNAME) |