]>
Commit | Line | Data |
---|---|---|
11886ab9 PL |
1 | import dns |
2 | from recursortests import RecursorTest | |
3 | import os | |
4 | ||
5 | class BasicDNSSEC(RecursorTest): | |
6 | __test__ = False | |
7 | _config_template = """dnssec=validate""" | |
8 | ||
9 | @classmethod | |
10 | def setUp(cls): | |
11 | confdir = os.path.join('configs', cls._confdir) | |
12 | cls.wipeRecursorCache(confdir) | |
13 | ||
11886ab9 PL |
14 | def testSecureAnswer(self): |
15 | res = self.sendQuery('ns.secure.example.', 'A') | |
16 | expected = dns.rrset.from_text('ns.secure.example.', 0, dns.rdataclass.IN, 'A', '{prefix}.10'.format(prefix=self._PREFIX)) | |
17 | ||
18 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
19 | self.assertMatchingRRSIGInAnswer(res, expected) | |
20 | self.assertMessageIsAuthenticated(res) | |
21 | ||
22 | def testInsecureAnswer(self): | |
23 | res = self.sendQuery('node1.insecure.example.', 'A') | |
24 | ||
25 | self.assertNoRRSIGsInAnswer(res) | |
26 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
27 | ||
0242fed7 RG |
28 | # now we request the DS for insecure.example., which does not exist, |
29 | # to check that we correctly get the SOA and not just the denial proof | |
30 | # that the recursor received on the delegation from example. to insecure.example. | |
31 | res = self.sendQuery('insecure.example.', 'DS') | |
32 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
33 | self.assertMessageIsAuthenticated(res) | |
34 | self.assertAuthorityHasSOA(res) | |
35 | ||
11886ab9 PL |
36 | def testBogusAnswer(self): |
37 | res = self.sendQuery('ted.bogus.example.', 'A') | |
38 | ||
39 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
40 | self.assertAnswerEmpty(res) | |
41 | ||
42 | def testSecureNXDOMAIN(self): | |
43 | res = self.sendQuery('nxdomain.secure.example.', 'A') | |
44 | ||
45 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
46 | ||
47 | def testInsecureNXDOMAIN(self): | |
48 | res = self.sendQuery('nxdomain.insecure.example.', 'A') | |
49 | ||
50 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
51 | ||
52 | def testBogusNXDOMAIN(self): | |
53 | res = self.sendQuery('nxdomain.bogus.example.', 'A') | |
54 | ||
55 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
56 | ||
57 | def testSecureOptoutAnswer(self): | |
58 | res = self.sendQuery('node1.secure.optout.example.', 'A') | |
59 | expected = dns.rrset.from_text('node1.secure.optout.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.8') | |
60 | ||
61 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
62 | self.assertMatchingRRSIGInAnswer(res, expected) | |
63 | self.assertMessageIsAuthenticated(res) | |
64 | ||
65 | def testInsecureOptoutAnswer(self): | |
66 | res = self.sendQuery('node1.insecure.optout.example.', 'A') | |
67 | ||
68 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
69 | self.assertNoRRSIGsInAnswer(res) | |
46419ee3 PL |
70 | |
71 | def testSecureSubtreeInZoneAnswer(self): | |
72 | res = self.sendQuery('host1.sub.secure.example.', 'A') | |
73 | expected = dns.rrset.from_text('host1.sub.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.11') | |
74 | ||
75 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
76 | self.assertMatchingRRSIGInAnswer(res, expected) | |
77 | self.assertMessageIsAuthenticated(res) | |
78 | ||
79 | def testSecureSubtreeInZoneNXDOMAIN(self): | |
80 | res = self.sendQuery('host2.sub.secure.example.', 'A') | |
81 | ||
82 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
83 | self.assertMessageIsAuthenticated(res) | |
fdb27cb2 PL |
84 | |
85 | def testSecureWildcardAnswer(self): | |
86 | res = self.sendQuery('something.wildcard.secure.example.', 'A') | |
87 | expected = dns.rrset.from_text('something.wildcard.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.10') | |
88 | ||
89 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
90 | self.assertMatchingRRSIGInAnswer(res, expected) | |
91 | self.assertMessageIsAuthenticated(res) | |
52033c6f PL |
92 | |
93 | def testSecureCNAMEWildCardAnswer(self): | |
94 | res = self.sendQuery('something.cnamewildcard.secure.example.', 'A') | |
95 | expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
96 | expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2') | |
97 | ||
98 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
99 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
100 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
101 | self.assertMessageIsAuthenticated(res) | |
102 | ||
103 | def testSecureCNAMEWildCardNXDOMAIN(self): | |
a0fdbef7 RG |
104 | # the answer to this query reaches the UDP truncation threshold, so let's use TCP |
105 | res = self.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A', useTCP=True) | |
ef2ea4bf | 106 | expectedCNAME = dns.rrset.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'doesnotexist.secure.example.') |
52033c6f PL |
107 | |
108 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
109 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
110 | self.assertMessageIsAuthenticated(res) | |
05537f80 PL |
111 | |
112 | def testSecureNoData(self): | |
113 | res = self.sendQuery('host1.secure.example.', 'AAAA') | |
114 | ||
115 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
116 | self.assertAnswerEmpty(res) | |
117 | self.assertAuthorityHasSOA(res) | |
118 | self.assertMessageIsAuthenticated(res) | |
119 | ||
120 | def testSecureCNAMENoData(self): | |
121 | res = self.sendQuery('cname.secure.example.', 'AAAA') | |
122 | expectedCNAME = dns.rrset.from_text('cname.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
123 | ||
124 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
125 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
126 | self.assertAuthorityHasSOA(res) | |
127 | self.assertMessageIsAuthenticated(res) | |
128 | ||
129 | def testSecureWildCardNoData(self): | |
130 | res = self.sendQuery('something.cnamewildcard.secure.example.', 'AAAA') | |
131 | expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
132 | ||
133 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
134 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
135 | self.assertAuthorityHasSOA(res) | |
136 | self.assertMessageIsAuthenticated(res) | |
6552b37b PL |
137 | |
138 | def testInsecureToSecureCNAMEAnswer(self): | |
139 | res = self.sendQuery('cname-to-secure.insecure.example.', 'A') | |
140 | expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2') | |
141 | expectedCNAME = dns.rrset.from_text('cname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
142 | ||
143 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
144 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
145 | self.assertRRsetInAnswer(res, expectedCNAME) | |
146 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
147 | ||
148 | def testSecureToInsecureCNAMEAnswer(self): | |
149 | res = self.sendQuery('cname-to-insecure.secure.example.', 'A') | |
150 | expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6') | |
151 | expectedCNAME = dns.rrset.from_text('cname-to-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.secure.example.') | |
152 | ||
153 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
154 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
155 | self.assertRRsetInAnswer(res, expectedA) | |
156 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
157 | ||
9516e835 PL |
158 | def testSecureDNAMEToSecureAnswer(self): |
159 | res = self.sendQuery('host1.dname-secure.secure.example.', 'A') | |
160 | expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') | |
161 | expectedCNAME = dns.rrset.from_text('host1.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.') | |
162 | expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21') | |
163 | ||
164 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
165 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO']) | |
166 | self.assertRRsetInAnswer(res, expectedA) | |
167 | self.assertRRsetInAnswer(res, expectedCNAME) | |
168 | self.assertRRsetInAnswer(res, expectedDNAME) | |
169 | self.assertMatchingRRSIGInAnswer(res, expectedDNAME) | |
170 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
171 | ||
172 | def testSecureDNAMEToSecureNXDomain(self): | |
173 | res = self.sendQuery('nxd.dname-secure.secure.example.', 'A') | |
174 | expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') | |
175 | expectedCNAME = dns.rrset.from_text('nxd.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.') | |
176 | ||
177 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
178 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO']) | |
179 | self.assertRRsetInAnswer(res, expectedCNAME) | |
180 | self.assertRRsetInAnswer(res, expectedDNAME) | |
181 | self.assertMatchingRRSIGInAnswer(res, expectedDNAME) | |
182 | ||
183 | def testSecureDNAMEToInsecureAnswer(self): | |
184 | res = self.sendQuery('node1.dname-insecure.secure.example.', 'A') | |
185 | expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.') | |
186 | expectedCNAME = dns.rrset.from_text('node1.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.') | |
187 | expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6') | |
188 | ||
189 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
190 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
191 | self.assertRRsetInAnswer(res, expectedA) | |
192 | self.assertRRsetInAnswer(res, expectedCNAME) | |
193 | self.assertRRsetInAnswer(res, expectedDNAME) | |
194 | self.assertMatchingRRSIGInAnswer(res, expectedDNAME) | |
195 | ||
196 | def testSecureDNAMEToInsecureNXDomain(self): | |
197 | res = self.sendQuery('nxd.dname-insecure.secure.example.', 'A') | |
198 | expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.') | |
199 | expectedCNAME = dns.rrset.from_text('nxd.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.insecure.example.') | |
200 | ||
201 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
202 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
203 | self.assertRRsetInAnswer(res, expectedCNAME) | |
204 | self.assertRRsetInAnswer(res, expectedDNAME) | |
205 | self.assertMatchingRRSIGInAnswer(res, expectedDNAME) | |
206 | ||
207 | def testSecureDNAMEToBogusAnswer(self): | |
208 | res = self.sendQuery('ted.dname-bogus.secure.example.', 'A') | |
209 | ||
210 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
211 | self.assertAnswerEmpty(res) | |
212 | ||
213 | def testSecureDNAMEToBogusNXDomain(self): | |
214 | res = self.sendQuery('nxd.dname-bogus.secure.example.', 'A') | |
215 | ||
216 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
217 | self.assertAnswerEmpty(res) | |
218 | ||
219 | def testInsecureDNAMEtoSecureAnswer(self): | |
220 | res = self.sendQuery('host1.dname-to-secure.insecure.example.', 'A') | |
221 | expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') | |
222 | expectedCNAME = dns.rrset.from_text('host1.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.') | |
223 | expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21') | |
224 | ||
225 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
226 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
227 | self.assertRRsetInAnswer(res, expectedA) | |
228 | self.assertRRsetInAnswer(res, expectedCNAME) | |
229 | self.assertRRsetInAnswer(res, expectedDNAME) | |
230 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
231 | ||
232 | def testSecureDNAMEToSecureCNAMEAnswer(self): | |
233 | res = self.sendQuery('cname-to-secure.dname-secure.secure.example.', 'A') | |
234 | ||
235 | expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') | |
236 | expectedCNAME1 = dns.rrset.from_text('cname-to-secure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-secure.dname-secure.example.') | |
237 | expectedCNAME2 = dns.rrset.from_text('cname-to-secure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
238 | expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2') | |
239 | ||
240 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
241 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO']) | |
242 | self.assertRRsetInAnswer(res, expectedA) | |
243 | self.assertRRsetInAnswer(res, expectedCNAME1) | |
244 | self.assertRRsetInAnswer(res, expectedCNAME2) | |
245 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME2) | |
246 | self.assertRRsetInAnswer(res, expectedDNAME) | |
247 | self.assertMatchingRRSIGInAnswer(res, expectedDNAME) | |
248 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
249 | ||
250 | def testSecureDNAMEToInsecureCNAMEAnswer(self): | |
251 | res = self.sendQuery('cname-to-insecure.dname-secure.secure.example.', 'A') | |
252 | ||
253 | expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') | |
254 | expectedCNAME1 = dns.rrset.from_text('cname-to-insecure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-insecure.dname-secure.example.') | |
255 | expectedCNAME2 = dns.rrset.from_text('cname-to-insecure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.') | |
256 | expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6') | |
257 | ||
258 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
259 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
260 | self.assertRRsetInAnswer(res, expectedA) | |
261 | self.assertRRsetInAnswer(res, expectedCNAME1) | |
262 | self.assertRRsetInAnswer(res, expectedCNAME2) | |
263 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME2) | |
264 | self.assertRRsetInAnswer(res, expectedDNAME) | |
265 | self.assertMatchingRRSIGInAnswer(res, expectedDNAME) | |
266 | ||
267 | def testSecureDNAMEToBogusCNAMEAnswer(self): | |
268 | res = self.sendQuery('cname-to-bogus.dname-secure.secure.example.', 'A') | |
269 | ||
270 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
271 | self.assertAnswerEmpty(res) | |
272 | ||
273 | def testInsecureDNAMEtoSecureNXDomain(self): | |
274 | res = self.sendQuery('nxd.dname-to-secure.insecure.example.', 'A') | |
275 | expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') | |
276 | expectedCNAME = dns.rrset.from_text('nxd.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.') | |
277 | ||
278 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
279 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
280 | self.assertRRsetInAnswer(res, expectedCNAME) | |
281 | self.assertRRsetInAnswer(res, expectedDNAME) |