]>
Commit | Line | Data |
---|---|---|
11886ab9 PL |
1 | import dns |
2 | from recursortests import RecursorTest | |
3 | import os | |
4 | ||
5 | class BasicDNSSEC(RecursorTest): | |
6 | __test__ = False | |
7 | _config_template = """dnssec=validate""" | |
8 | ||
9 | @classmethod | |
10 | def setUp(cls): | |
11 | confdir = os.path.join('configs', cls._confdir) | |
12 | cls.wipeRecursorCache(confdir) | |
13 | ||
14 | @classmethod | |
a0fdbef7 | 15 | def sendQuery(self, name, rdtype, useTCP=False): |
11886ab9 PL |
16 | """Helper function that creates the query""" |
17 | msg = dns.message.make_query(name, rdtype, want_dnssec=True) | |
18 | msg.flags |= dns.flags.AD | |
19 | ||
a0fdbef7 RG |
20 | if useTCP: |
21 | return self.sendTCPQuery(msg) | |
11886ab9 PL |
22 | return self.sendUDPQuery(msg) |
23 | ||
24 | def testSecureAnswer(self): | |
25 | res = self.sendQuery('ns.secure.example.', 'A') | |
26 | expected = dns.rrset.from_text('ns.secure.example.', 0, dns.rdataclass.IN, 'A', '{prefix}.10'.format(prefix=self._PREFIX)) | |
27 | ||
28 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
29 | self.assertMatchingRRSIGInAnswer(res, expected) | |
30 | self.assertMessageIsAuthenticated(res) | |
31 | ||
32 | def testInsecureAnswer(self): | |
33 | res = self.sendQuery('node1.insecure.example.', 'A') | |
34 | ||
35 | self.assertNoRRSIGsInAnswer(res) | |
36 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
37 | ||
38 | def testBogusAnswer(self): | |
39 | res = self.sendQuery('ted.bogus.example.', 'A') | |
40 | ||
41 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
42 | self.assertAnswerEmpty(res) | |
43 | ||
44 | def testSecureNXDOMAIN(self): | |
45 | res = self.sendQuery('nxdomain.secure.example.', 'A') | |
46 | ||
47 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
48 | ||
49 | def testInsecureNXDOMAIN(self): | |
50 | res = self.sendQuery('nxdomain.insecure.example.', 'A') | |
51 | ||
52 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
53 | ||
54 | def testBogusNXDOMAIN(self): | |
55 | res = self.sendQuery('nxdomain.bogus.example.', 'A') | |
56 | ||
57 | self.assertRcodeEqual(res, dns.rcode.SERVFAIL) | |
58 | ||
59 | def testSecureOptoutAnswer(self): | |
60 | res = self.sendQuery('node1.secure.optout.example.', 'A') | |
61 | expected = dns.rrset.from_text('node1.secure.optout.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.8') | |
62 | ||
63 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
64 | self.assertMatchingRRSIGInAnswer(res, expected) | |
65 | self.assertMessageIsAuthenticated(res) | |
66 | ||
67 | def testInsecureOptoutAnswer(self): | |
68 | res = self.sendQuery('node1.insecure.optout.example.', 'A') | |
69 | ||
70 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
71 | self.assertNoRRSIGsInAnswer(res) | |
46419ee3 PL |
72 | |
73 | def testSecureSubtreeInZoneAnswer(self): | |
74 | res = self.sendQuery('host1.sub.secure.example.', 'A') | |
75 | expected = dns.rrset.from_text('host1.sub.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.11') | |
76 | ||
77 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
78 | self.assertMatchingRRSIGInAnswer(res, expected) | |
79 | self.assertMessageIsAuthenticated(res) | |
80 | ||
81 | def testSecureSubtreeInZoneNXDOMAIN(self): | |
82 | res = self.sendQuery('host2.sub.secure.example.', 'A') | |
83 | ||
84 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
85 | self.assertMessageIsAuthenticated(res) | |
fdb27cb2 PL |
86 | |
87 | def testSecureWildcardAnswer(self): | |
88 | res = self.sendQuery('something.wildcard.secure.example.', 'A') | |
89 | expected = dns.rrset.from_text('something.wildcard.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.10') | |
90 | ||
91 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
92 | self.assertMatchingRRSIGInAnswer(res, expected) | |
93 | self.assertMessageIsAuthenticated(res) | |
52033c6f PL |
94 | |
95 | def testSecureCNAMEWildCardAnswer(self): | |
96 | res = self.sendQuery('something.cnamewildcard.secure.example.', 'A') | |
97 | expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
98 | expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2') | |
99 | ||
100 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
101 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
102 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
103 | self.assertMessageIsAuthenticated(res) | |
104 | ||
105 | def testSecureCNAMEWildCardNXDOMAIN(self): | |
a0fdbef7 RG |
106 | # the answer to this query reaches the UDP truncation threshold, so let's use TCP |
107 | res = self.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A', useTCP=True) | |
52033c6f PL |
108 | expectedCNAME = dns.rrset.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'doesntexist.secure.example.') |
109 | ||
110 | self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) | |
111 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
112 | self.assertMessageIsAuthenticated(res) | |
05537f80 PL |
113 | |
114 | def testSecureNoData(self): | |
115 | res = self.sendQuery('host1.secure.example.', 'AAAA') | |
116 | ||
117 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
118 | self.assertAnswerEmpty(res) | |
119 | self.assertAuthorityHasSOA(res) | |
120 | self.assertMessageIsAuthenticated(res) | |
121 | ||
122 | def testSecureCNAMENoData(self): | |
123 | res = self.sendQuery('cname.secure.example.', 'AAAA') | |
124 | expectedCNAME = dns.rrset.from_text('cname.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
125 | ||
126 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
127 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
128 | self.assertAuthorityHasSOA(res) | |
129 | self.assertMessageIsAuthenticated(res) | |
130 | ||
131 | def testSecureWildCardNoData(self): | |
132 | res = self.sendQuery('something.cnamewildcard.secure.example.', 'AAAA') | |
133 | expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
134 | ||
135 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
136 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
137 | self.assertAuthorityHasSOA(res) | |
138 | self.assertMessageIsAuthenticated(res) | |
6552b37b PL |
139 | |
140 | def testInsecureToSecureCNAMEAnswer(self): | |
141 | res = self.sendQuery('cname-to-secure.insecure.example.', 'A') | |
142 | expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2') | |
143 | expectedCNAME = dns.rrset.from_text('cname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') | |
144 | ||
145 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
146 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
147 | self.assertRRsetInAnswer(res, expectedCNAME) | |
148 | self.assertMatchingRRSIGInAnswer(res, expectedA) | |
149 | ||
150 | def testSecureToInsecureCNAMEAnswer(self): | |
151 | res = self.sendQuery('cname-to-insecure.secure.example.', 'A') | |
152 | expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6') | |
153 | expectedCNAME = dns.rrset.from_text('cname-to-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.secure.example.') | |
154 | ||
155 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
156 | self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) | |
157 | self.assertRRsetInAnswer(res, expectedA) | |
158 | self.assertMatchingRRSIGInAnswer(res, expectedCNAME) | |
159 |