]>
Commit | Line | Data |
---|---|---|
11886ab9 PL |
1 | import dns |
2 | from recursortests import RecursorTest | |
3 | import os | |
4 | ||
5 | class BasicDNSSEC(RecursorTest): | |
6 | __test__ = False | |
7 | _config_template = """dnssec=validate""" | |
8 | ||
9 | @classmethod | |
10 | def setUp(cls): | |
11 | confdir = os.path.join('configs', cls._confdir) | |
12 | cls.wipeRecursorCache(confdir) | |
13 | ||
14 | @classmethod | |
15 | def sendQuery(self, name, rdtype): | |
16 | """Helper function that creates the query""" | |
17 | msg = dns.message.make_query(name, rdtype, want_dnssec=True) | |
18 | msg.flags |= dns.flags.AD | |
19 | ||
20 | return self.sendUDPQuery(msg) | |
21 | ||
22 | def testSecureAnswer(self): | |
23 | res = self.sendQuery('ns.secure.example.', 'A') | |
24 | expected = dns.rrset.from_text('ns.secure.example.', 0, dns.rdataclass.IN, 'A', '{prefix}.10'.format(prefix=self._PREFIX)) | |
25 | ||
26 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
27 | self.assertMatchingRRSIGInAnswer(res, expected) | |
28 | self.assertMessageIsAuthenticated(res) | |
29 | ||
30 | def testInsecureAnswer(self): | |
31 | res = self.sendQuery('node1.insecure.example.', 'A') | |
32 | ||
33 | self.assertNoRRSIGsInAnswer(res) | |
34 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
35 | ||
36 | def testBogusAnswer(self): | |
37 | res = self.sendQuery('ted.bogus.example.', 'A') | |
38 | ||
39 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
40 | self.assertAnswerEmpty(res) | |
41 | ||
42 | def testSecureNXDOMAIN(self): | |
43 | res = self.sendQuery('nxdomain.secure.example.', 'A') | |
44 | ||
45 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
46 | ||
47 | def testInsecureNXDOMAIN(self): | |
48 | res = self.sendQuery('nxdomain.insecure.example.', 'A') | |
49 | ||
50 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
51 | ||
52 | def testBogusNXDOMAIN(self): | |
53 | res = self.sendQuery('nxdomain.bogus.example.', 'A') | |
54 | ||
55 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
56 | ||
57 | def testSecureOptoutAnswer(self): | |
58 | res = self.sendQuery('node1.secure.optout.example.', 'A') | |
59 | expected = dns.rrset.from_text('node1.secure.optout.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.8') | |
60 | ||
61 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
62 | self.assertMatchingRRSIGInAnswer(res, expected) | |
63 | self.assertMessageIsAuthenticated(res) | |
64 | ||
65 | def testInsecureOptoutAnswer(self): | |
66 | res = self.sendQuery('node1.insecure.optout.example.', 'A') | |
67 | ||
68 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
69 | self.assertNoRRSIGsInAnswer(res) | |
46419ee3 PL |
70 | |
71 | def testSecureSubtreeInZoneAnswer(self): | |
72 | res = self.sendQuery('host1.sub.secure.example.', 'A') | |
73 | expected = dns.rrset.from_text('host1.sub.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.11') | |
74 | ||
75 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
76 | self.assertMatchingRRSIGInAnswer(res, expected) | |
77 | self.assertMessageIsAuthenticated(res) | |
78 | ||
79 | def testSecureSubtreeInZoneNXDOMAIN(self): | |
80 | res = self.sendQuery('host2.sub.secure.example.', 'A') | |
81 | ||
82 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
83 | self.assertMessageIsAuthenticated(res) | |
fdb27cb2 PL |
84 | |
85 | def testSecureWildcardAnswer(self): | |
86 | res = self.sendQuery('something.wildcard.secure.example.', 'A') | |
87 | expected = dns.rrset.from_text('something.wildcard.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.10') | |
88 | ||
89 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
90 | self.assertMatchingRRSIGInAnswer(res, expected) | |
91 | self.assertMessageIsAuthenticated(res) | |
52033c6f PL |
92 | |
93 | def testSecureCNAMEWildCardAnswer(self): | |
94 | res = self.sendQuery('something.cnamewildcard.secure.example.', 'A') | |
95 | expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
96 | expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2') | |
97 | ||
98 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
99 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
100 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
101 | self.assertMessageIsAuthenticated(res) | |
102 | ||
103 | def testSecureCNAMEWildCardNXDOMAIN(self): | |
104 | res = self.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A') | |
105 | expectedCNAME = dns.rrset.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'doesntexist.secure.example.') | |
106 | ||
107 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
108 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
109 | self.assertMessageIsAuthenticated(res) | |
05537f80 PL |
110 | |
111 | def testSecureNoData(self): | |
112 | res = self.sendQuery('host1.secure.example.', 'AAAA') | |
113 | ||
114 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
115 | self.assertAnswerEmpty(res) | |
116 | self.assertAuthorityHasSOA(res) | |
117 | self.assertMessageIsAuthenticated(res) | |
118 | ||
119 | def testSecureCNAMENoData(self): | |
120 | res = self.sendQuery('cname.secure.example.', 'AAAA') | |
121 | expectedCNAME = dns.rrset.from_text('cname.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
122 | ||
123 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
124 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
125 | self.assertAuthorityHasSOA(res) | |
126 | self.assertMessageIsAuthenticated(res) | |
127 | ||
128 | def testSecureWildCardNoData(self): | |
129 | res = self.sendQuery('something.cnamewildcard.secure.example.', 'AAAA') | |
130 | expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
131 | ||
132 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
133 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
134 | self.assertAuthorityHasSOA(res) | |
135 | self.assertMessageIsAuthenticated(res) | |
6552b37b PL |
136 | |
137 | def testInsecureToSecureCNAMEAnswer(self): | |
138 | res = self.sendQuery('cname-to-secure.insecure.example.', 'A') | |
139 | expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2') | |
140 | expectedCNAME = dns.rrset.from_text('cname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
141 | ||
142 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
143 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
144 | self.assertRRsetInAnswer(res, expectedCNAME) | |
145 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
146 | ||
147 | def testSecureToInsecureCNAMEAnswer(self): | |
148 | res = self.sendQuery('cname-to-insecure.secure.example.', 'A') | |
149 | expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6') | |
150 | expectedCNAME = dns.rrset.from_text('cname-to-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.secure.example.') | |
151 | ||
152 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
153 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
154 | self.assertRRsetInAnswer(res, expectedA) | |
155 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
156 |