]>
Commit | Line | Data |
---|---|---|
11886ab9 PL |
1 | import dns |
2 | from recursortests import RecursorTest | |
3 | import os | |
4 | ||
5 | class BasicDNSSEC(RecursorTest): | |
6 | __test__ = False | |
7 | _config_template = """dnssec=validate""" | |
8 | ||
9 | @classmethod | |
10 | def setUp(cls): | |
11 | confdir = os.path.join('configs', cls._confdir) | |
12 | cls.wipeRecursorCache(confdir) | |
13 | ||
11886ab9 PL |
14 | def testSecureAnswer(self): |
15 | res = self.sendQuery('ns.secure.example.', 'A') | |
16 | expected = dns.rrset.from_text('ns.secure.example.', 0, dns.rdataclass.IN, 'A', '{prefix}.10'.format(prefix=self._PREFIX)) | |
17 | ||
18 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
19 | self.assertMatchingRRSIGInAnswer(res, expected) | |
20 | self.assertMessageIsAuthenticated(res) | |
21 | ||
22 | def testInsecureAnswer(self): | |
23 | res = self.sendQuery('node1.insecure.example.', 'A') | |
24 | ||
25 | self.assertNoRRSIGsInAnswer(res) | |
26 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
27 | ||
28 | def testBogusAnswer(self): | |
29 | res = self.sendQuery('ted.bogus.example.', 'A') | |
30 | ||
31 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
32 | self.assertAnswerEmpty(res) | |
33 | ||
34 | def testSecureNXDOMAIN(self): | |
35 | res = self.sendQuery('nxdomain.secure.example.', 'A') | |
36 | ||
37 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
38 | ||
39 | def testInsecureNXDOMAIN(self): | |
40 | res = self.sendQuery('nxdomain.insecure.example.', 'A') | |
41 | ||
42 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
43 | ||
44 | def testBogusNXDOMAIN(self): | |
45 | res = self.sendQuery('nxdomain.bogus.example.', 'A') | |
46 | ||
47 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
48 | ||
49 | def testSecureOptoutAnswer(self): | |
50 | res = self.sendQuery('node1.secure.optout.example.', 'A') | |
51 | expected = dns.rrset.from_text('node1.secure.optout.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.8') | |
52 | ||
53 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
54 | self.assertMatchingRRSIGInAnswer(res, expected) | |
55 | self.assertMessageIsAuthenticated(res) | |
56 | ||
57 | def testInsecureOptoutAnswer(self): | |
58 | res = self.sendQuery('node1.insecure.optout.example.', 'A') | |
59 | ||
60 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
61 | self.assertNoRRSIGsInAnswer(res) | |
46419ee3 PL |
62 | |
63 | def testSecureSubtreeInZoneAnswer(self): | |
64 | res = self.sendQuery('host1.sub.secure.example.', 'A') | |
65 | expected = dns.rrset.from_text('host1.sub.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.11') | |
66 | ||
67 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
68 | self.assertMatchingRRSIGInAnswer(res, expected) | |
69 | self.assertMessageIsAuthenticated(res) | |
70 | ||
71 | def testSecureSubtreeInZoneNXDOMAIN(self): | |
72 | res = self.sendQuery('host2.sub.secure.example.', 'A') | |
73 | ||
74 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
75 | self.assertMessageIsAuthenticated(res) | |
fdb27cb2 PL |
76 | |
77 | def testSecureWildcardAnswer(self): | |
78 | res = self.sendQuery('something.wildcard.secure.example.', 'A') | |
79 | expected = dns.rrset.from_text('something.wildcard.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.10') | |
80 | ||
81 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
82 | self.assertMatchingRRSIGInAnswer(res, expected) | |
83 | self.assertMessageIsAuthenticated(res) | |
52033c6f PL |
84 | |
85 | def testSecureCNAMEWildCardAnswer(self): | |
86 | res = self.sendQuery('something.cnamewildcard.secure.example.', 'A') | |
87 | expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
88 | expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2') | |
89 | ||
90 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
91 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
92 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
93 | self.assertMessageIsAuthenticated(res) | |
94 | ||
95 | def testSecureCNAMEWildCardNXDOMAIN(self): | |
a0fdbef7 RG |
96 | # the answer to this query reaches the UDP truncation threshold, so let's use TCP |
97 | res = self.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A', useTCP=True) | |
52033c6f PL |
98 | expectedCNAME = dns.rrset.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'doesntexist.secure.example.') |
99 | ||
100 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
101 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
102 | self.assertMessageIsAuthenticated(res) | |
05537f80 PL |
103 | |
104 | def testSecureNoData(self): | |
105 | res = self.sendQuery('host1.secure.example.', 'AAAA') | |
106 | ||
107 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
108 | self.assertAnswerEmpty(res) | |
109 | self.assertAuthorityHasSOA(res) | |
110 | self.assertMessageIsAuthenticated(res) | |
111 | ||
112 | def testSecureCNAMENoData(self): | |
113 | res = self.sendQuery('cname.secure.example.', 'AAAA') | |
114 | expectedCNAME = dns.rrset.from_text('cname.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
115 | ||
116 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
117 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
118 | self.assertAuthorityHasSOA(res) | |
119 | self.assertMessageIsAuthenticated(res) | |
120 | ||
121 | def testSecureWildCardNoData(self): | |
122 | res = self.sendQuery('something.cnamewildcard.secure.example.', 'AAAA') | |
123 | expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
124 | ||
125 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
126 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
127 | self.assertAuthorityHasSOA(res) | |
128 | self.assertMessageIsAuthenticated(res) | |
6552b37b PL |
129 | |
130 | def testInsecureToSecureCNAMEAnswer(self): | |
131 | res = self.sendQuery('cname-to-secure.insecure.example.', 'A') | |
132 | expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2') | |
133 | expectedCNAME = dns.rrset.from_text('cname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
134 | ||
135 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
136 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
137 | self.assertRRsetInAnswer(res, expectedCNAME) | |
138 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
139 | ||
140 | def testSecureToInsecureCNAMEAnswer(self): | |
141 | res = self.sendQuery('cname-to-insecure.secure.example.', 'A') | |
142 | expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6') | |
143 | expectedCNAME = dns.rrset.from_text('cname-to-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.secure.example.') | |
144 | ||
145 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
146 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
147 | self.assertRRsetInAnswer(res, expectedA) | |
148 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
149 |