]>
Commit | Line | Data |
---|---|---|
7568b07d PL |
1 | #!/usr/bin/env python2 |
2 | ||
7a0ea291 | 3 | from __future__ import print_function |
7568b07d PL |
4 | import errno |
5 | import shutil | |
6 | import os | |
7 | import socket | |
8 | import struct | |
9 | import subprocess | |
10 | import sys | |
11 | import time | |
12 | import unittest | |
13 | import dns | |
14 | import dns.message | |
15 | ||
9166ee1b RG |
16 | from proxyprotocol import ProxyProtocol |
17 | ||
753a8109 PD |
18 | from eqdnsmessage import AssertEqualDNSMessageMixin |
19 | ||
fb027663 PL |
20 | |
21 | def have_ipv6(): | |
22 | """ | |
23 | Try to make an IPv6 socket and bind it, if it fails, no ipv6... | |
24 | """ | |
25 | try: | |
26 | sock = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) | |
27 | sock.bind(('::1', 56581)) | |
28 | sock.close() | |
29 | return True | |
30 | except: | |
31 | return False | |
32 | return False | |
33 | ||
34 | ||
753a8109 | 35 | class RecursorTest(AssertEqualDNSMessageMixin, unittest.TestCase): |
7568b07d PL |
36 | """ |
37 | Setup all recursors and auths required for the tests | |
38 | """ | |
39 | ||
40 | _confdir = 'recursor' | |
41 | ||
7568b07d PL |
42 | _recursorPort = 5300 |
43 | ||
44 | _recursor = None | |
45 | ||
46 | _PREFIX = os.environ['PREFIX'] | |
47 | ||
48 | _config_template_default = """ | |
49 | daemon=no | |
50 | trace=yes | |
51 | dont-query= | |
52 | local-address=127.0.0.1 | |
d2c1660a OM |
53 | packetcache-ttl=15 |
54 | packetcache-servfail-ttl=15 | |
7568b07d | 55 | max-cache-ttl=15 |
d2c1660a | 56 | threads=2 |
7568b07d PL |
57 | loglevel=9 |
58 | disable-syslog=yes | |
949cd0f2 | 59 | log-common-errors=yes |
5f0a330f | 60 | statistics-interval=0 |
9883d3f9 OM |
61 | """ |
62 | _config_template_yaml_default = """ | |
63 | recursor: | |
64 | daemon: false | |
65 | threads: 2 | |
66 | include_dir: %s | |
67 | recordcache: | |
68 | max_ttl: 15 | |
69 | incoming: | |
70 | listen: | |
71 | - 127.0.0.1 | |
72 | packetcache: | |
73 | ttl: 15 | |
74 | servfail_ttl: 15 | |
75 | outgoing: | |
76 | dont_query: [] | |
77 | logging: | |
78 | trace: true | |
79 | disable_syslog: true | |
80 | common_errors: true | |
81 | loglevel: 9 | |
82 | statistics_interval: 0 | |
7568b07d PL |
83 | """ |
84 | _config_template = """ | |
85 | """ | |
86 | _config_params = [] | |
87 | _lua_config_file = None | |
18e0e4df | 88 | _lua_dns_script_file = None |
7568b07d PL |
89 | _roothints = """ |
90 | . 3600 IN NS ns.root. | |
91 | ns.root. 3600 IN A %s.8 | |
8064abbb | 92 | ns.root. 3600 IN AAAA ::1 |
7568b07d PL |
93 | """ % _PREFIX |
94 | _root_DS = "63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a" | |
95 | ||
96 | # The default SOA for zones in the authoritative servers | |
97 | _SOA = "ns1.example.net. hostmaster.example.net. 1 3600 1800 1209600 300" | |
98 | ||
99 | # The definitions of the zones on the authoritative servers, the key is the | |
100 | # zonename and the value is the zonefile content. several strings are replaced: | |
101 | # - {soa} => value of _SOA | |
102 | # - {prefix} value of _PREFIX | |
103 | _zones = { | |
104 | 'ROOT': """ | |
105 | . 3600 IN SOA {soa} | |
106 | . 3600 IN NS ns.root. | |
107 | ns.root. 3600 IN A {prefix}.8 | |
108 | ||
109 | example. 3600 IN NS ns1.example. | |
110 | example. 3600 IN NS ns2.example. | |
111 | example. 3600 IN DS 53174 13 1 50c9e913818767c236c06c2d8272723cb78cbf26 | |
112 | ||
113 | ns1.example. 3600 IN A {prefix}.10 | |
4709a495 | 114 | ns2.example. 3600 IN A {prefix}.18 |
7568b07d PL |
115 | """, |
116 | 'example': """ | |
117 | example. 3600 IN SOA {soa} | |
f3be2401 RG |
118 | example. 3600 IN NS ns1.example. |
119 | example. 3600 IN NS ns2.example. | |
7568b07d | 120 | ns1.example. 3600 IN A {prefix}.10 |
4709a495 | 121 | ns2.example. 3600 IN A {prefix}.18 |
7568b07d PL |
122 | |
123 | secure.example. 3600 IN NS ns.secure.example. | |
124 | secure.example. 3600 IN DS 64723 13 1 53eb985040d3a89bacf29dbddb55a65834706f33 | |
125 | ns.secure.example. 3600 IN A {prefix}.9 | |
126 | ||
d5b8ccd4 PL |
127 | cname-secure.example. 3600 IN NS ns.cname-secure.example. |
128 | cname-secure.example. 3600 IN DS 49148 13 1 a10314452d5ec4d97fcc6d7e275d217261fe790f | |
129 | ns.cname-secure.example. 3600 IN A {prefix}.15 | |
130 | ||
9516e835 PL |
131 | dname-secure.example. 3600 IN NS ns.dname-secure.example. |
132 | dname-secure.example. 3600 IN DS 42043 13 2 11c67f46b7c4d5968bc5f6cc944d58377b762bda53ddb4f3a6dbe6faf7a9940f | |
133 | ns.dname-secure.example. 3600 IN A {prefix}.13 | |
134 | ||
7568b07d PL |
135 | bogus.example. 3600 IN NS ns.bogus.example. |
136 | bogus.example. 3600 IN DS 65034 13 1 6df3bb50ea538e90eacdd7ae5419730783abb0ee | |
137 | ns.bogus.example. 3600 IN A {prefix}.12 | |
138 | ||
139 | insecure.example. 3600 IN NS ns.insecure.example. | |
140 | ns.insecure.example. 3600 IN A {prefix}.13 | |
11886ab9 PL |
141 | |
142 | optout.example. 3600 IN NS ns1.optout.example. | |
143 | optout.example. 3600 IN DS 59332 13 1 e664f886ae1b5df03d918bc1217d22afc29925b9 | |
144 | ns1.optout.example. 3600 IN A {prefix}.14 | |
962a980d | 145 | |
9996807c OM |
146 | postresolve_ffi.example. 3600 IN A 1.2.3.4 |
147 | postresolve_ffi.example. 3600 IN A 1.2.3.5 | |
148 | postresolve_ffi.example. 3600 IN AAAA ::1 | |
149 | postresolve_ffi.example. 3600 IN AAAA ::2 | |
150 | ||
962a980d PL |
151 | insecure-formerr.example. 3600 IN NS ns1.insecure-formerr.example. |
152 | ns1.insecure-formerr.example. 3600 IN A {prefix}.2 | |
3bebf5f0 | 153 | |
9a0b88e8 RG |
154 | ecs-echo.example. 3600 IN NS ns1.ecs-echo.example. |
155 | ns1.ecs-echo.example. 3600 IN A {prefix}.21 | |
156 | ||
3bebf5f0 PL |
157 | islandofsecurity.example. 3600 IN NS ns1.islandofsecurity.example. |
158 | ns1.islandofsecurity.example. 3600 IN A {prefix}.9 | |
2fed5be3 PD |
159 | |
160 | sortcname.example. 3600 IN CNAME sort | |
161 | sort.example. 3600 IN A 17.38.42.80 | |
162 | sort.example. 3600 IN A 192.168.0.1 | |
163 | sort.example. 3600 IN A 17.238.240.5 | |
164 | sort.example. 3600 IN MX 25 mx | |
c51c551e | 165 | |
a79f06c4 OM |
166 | delay1.example. 3600 IN NS ns1.delay1.example. |
167 | ns1.delay1.example. 3600 IN A {prefix}.16 | |
4709a495 OM |
168 | delay1.example. 3600 IN DS 42043 13 2 7319fa605cf117f36e3de070157577ebb9a05a1d1f963d80eda55b5d6e793eb2 |
169 | ||
a79f06c4 OM |
170 | delay2.example. 3600 IN NS ns1.delay2.example. |
171 | ns1.delay2.example. 3600 IN A {prefix}.17 | |
4709a495 | 172 | delay2.example. 3600 IN DS 42043 13 2 60a047b87740c8564c21d5fd34626c10a77a6c41e3b34564230119c2f13937b8 |
b7284b4d RG |
173 | |
174 | cname-nxd.example. 3600 IN CNAME cname-nxd-target.example. | |
175 | cname-nxd-target.example. 3600 IN A 192.0.2.100 | |
176 | cname-nodata.example. 3600 IN CNAME cname-nodata-target.example. | |
177 | cname-nodata-target.example. 3600 IN A 192.0.2.101 | |
178 | cname-custom-a.example. 3600 IN CNAME cname-custom-a-target.example. | |
179 | cname-custom-a-target.example. 3600 IN A 192.0.2.102 | |
7568b07d PL |
180 | """, |
181 | 'secure.example': """ | |
182 | secure.example. 3600 IN SOA {soa} | |
183 | secure.example. 3600 IN NS ns.secure.example. | |
184 | ns.secure.example. 3600 IN A {prefix}.9 | |
1fc89740 OM |
185 | secure.example. 3600 IN MX 10 mx1.secure.example. |
186 | secure.example. 3600 IN MX 20 mx2.secure.example. | |
89394fa7 OM |
187 | sub.secure.example. 3600 IN MX 10 mx1.secure.example. |
188 | sub.secure.example. 3600 IN MX 20 mx2.secure.example. | |
1fc89740 OM |
189 | |
190 | naptr.secure.example. 60 IN NAPTR 10 10 "a" "X" "A" s1.secure.example. | |
191 | naptr.secure.example. 60 IN NAPTR 10 10 "s" "Y" "B" service1.secure.example. | |
192 | naptr.secure.example. 60 IN NAPTR 10 10 "s" "Z" "C" service2.secure.example. | |
193 | service1.secure.example. 60 IN SRV 20 100 8080 a.secure.example. | |
194 | service2.secure.example. 60 IN SRV 20 100 8080 b.secure.example. | |
195 | ||
7568b07d | 196 | |
d5b8ccd4 | 197 | secure.example. 3600 IN A 192.0.2.17 |
1fc89740 OM |
198 | mx1.secure.example. 3600 IN A 192.0.2.18 |
199 | mx2.secure.example. 3600 IN AAAA 1::2 | |
200 | s1.secure.example. 3600 IN A 192.0.2.19 | |
201 | a.secure.example. 3600 IN A 192.0.2.20 | |
202 | a.secure.example. 3600 IN A 192.0.2.22 | |
203 | b.secure.example. 3600 IN A 192.0.2.21 | |
204 | b.secure.example. 3600 IN AAAA 1::3 | |
d5b8ccd4 | 205 | |
7568b07d | 206 | host1.secure.example. 3600 IN A 192.0.2.2 |
05537f80 | 207 | cname.secure.example. 3600 IN CNAME host1.secure.example. |
6552b37b | 208 | cname-to-insecure.secure.example. 3600 IN CNAME node1.insecure.example. |
faa3b298 | 209 | cname-to-bogus.secure.example. 3600 IN CNAME ted.bogus.example. |
3bebf5f0 | 210 | cname-to-islandofsecurity.secure.example. 3600 IN CNAME node1.islandofsecurity.example. |
46419ee3 PL |
211 | |
212 | host1.sub.secure.example. 3600 IN A 192.0.2.11 | |
fdb27cb2 | 213 | |
694ef440 PL |
214 | ;; See #4158 |
215 | sub2.secure.example. 3600 IN CNAME doesnotmatter.insecure.example. | |
216 | insecure.sub2.secure.example. 3600 IN NS ns1.insecure.example. | |
217 | ||
fdb27cb2 | 218 | *.wildcard.secure.example. 3600 IN A 192.0.2.10 |
52033c6f PL |
219 | |
220 | *.cnamewildcard.secure.example. 3600 IN CNAME host1.secure.example. | |
221 | ||
ef2ea4bf | 222 | *.cnamewildcardnxdomain.secure.example. 3600 IN CNAME doesnotexist.secure.example. |
962a980d PL |
223 | |
224 | cname-to-formerr.secure.example. 3600 IN CNAME host1.insecure-formerr.example. | |
9516e835 PL |
225 | |
226 | dname-secure.secure.example. 3600 IN DNAME dname-secure.example. | |
227 | dname-insecure.secure.example. 3600 IN DNAME insecure.example. | |
228 | dname-bogus.secure.example. 3600 IN DNAME bogus.example. | |
90b85dd0 PD |
229 | |
230 | non-apex-dnskey.secure.example. 3600 IN DNSKEY 257 3 13 CT6AJ4MEOtNDgj0+xLtTLGHf1WbLsKWZI8ONHOt/6q7hTjeWSnY/SGig1dIKZrHg+pJFUSPaxeShv48SYVRKEg== | |
29ad8796 PD |
231 | non-apex-dnskey2.secure.example. 3600 IN DNSKEY 256 3 13 CT6AJ4MEOtNDgj0+xLtTLGHf1WbLsKWZI8ONHOt/6q7hTjeWSnY/SGig1dIKZrHg+pJFUSPaxeShv48SYVRKEg== |
232 | non-apex-dnskey3.secure.example. 3600 IN DNSKEY 256 3 13 DT6AJ4MEOtNDgj0+xLtTLGHf1WbLsKWZI8ONHOt/6q7hTjeWSnY/SGig1dIKZrHg+pJFUSPaxeShv48SYVRKEg== | |
d5b8ccd4 | 233 | """, |
9516e835 PL |
234 | 'dname-secure.example': """ |
235 | dname-secure.example. 3600 IN SOA {soa} | |
236 | dname-secure.example. 3600 IN NS ns.dname-secure.example. | |
237 | ns.dname-secure.example. 3600 IN A {prefix}.13 | |
238 | ||
239 | host1.dname-secure.example. IN A 192.0.2.21 | |
240 | ||
241 | cname-to-secure.dname-secure.example. 3600 IN CNAME host1.secure.example. | |
242 | cname-to-insecure.dname-secure.example. 3600 IN CNAME node1.insecure.example. | |
243 | cname-to-bogus.dname-secure.example. 3600 IN CNAME ted.bogus.example. | |
244 | """, | |
d5b8ccd4 PL |
245 | 'cname-secure.example': """ |
246 | cname-secure.example. 3600 IN SOA {soa} | |
247 | cname-secure.example. 3600 IN NS ns.cname-secure.example. | |
248 | ns.cname-secure.example. 3600 IN A {prefix}.15 | |
249 | cname-secure.example. 3600 IN CNAME secure.example. | |
7568b07d PL |
250 | """, |
251 | 'bogus.example': """ | |
252 | bogus.example. 3600 IN SOA {soa} | |
253 | bogus.example. 3600 IN NS ns1.bogus.example. | |
254 | ns1.bogus.example. 3600 IN A {prefix}.12 | |
255 | ted.bogus.example. 3600 IN A 192.0.2.1 | |
256 | bill.bogus.example. 3600 IN AAAA 2001:db8:12::3 | |
694ef440 PL |
257 | """, |
258 | 'insecure.sub2.secure.example': """ | |
259 | insecure.sub2.secure.example. 3600 IN SOA {soa} | |
260 | insecure.sub2.secure.example. 3600 IN NS ns1.insecure.example. | |
261 | ||
262 | node1.insecure.sub2.secure.example. 3600 IN A 192.0.2.18 | |
7568b07d PL |
263 | """, |
264 | 'insecure.example': """ | |
265 | insecure.example. 3600 IN SOA {soa} | |
266 | insecure.example. 3600 IN NS ns1.insecure.example. | |
267 | ns1.insecure.example. 3600 IN A {prefix}.13 | |
268 | ||
269 | node1.insecure.example. 3600 IN A 192.0.2.6 | |
6552b37b PL |
270 | |
271 | cname-to-secure.insecure.example. 3600 IN CNAME host1.secure.example. | |
9516e835 PL |
272 | |
273 | dname-to-secure.insecure.example. 3600 IN DNAME dname-secure.example. | |
11886ab9 PL |
274 | """, |
275 | 'optout.example': """ | |
276 | optout.example. 3600 IN SOA {soa} | |
277 | optout.example. 3600 IN NS ns1.optout.example. | |
278 | ns1.optout.example. 3600 IN A {prefix}.14 | |
279 | ||
280 | insecure.optout.example. 3600 IN NS ns1.insecure.optout.example. | |
281 | ns1.insecure.optout.example. 3600 IN A {prefix}.15 | |
282 | ||
283 | secure.optout.example. 3600 IN NS ns1.secure.optout.example. | |
284 | secure.optout.example. 3600 IN DS 64215 13 1 b88284d7a8d8605c398e8942262f97b9a5a31787 | |
285 | ns1.secure.optout.example. 3600 IN A {prefix}.15 | |
286 | """, | |
287 | 'insecure.optout.example': """ | |
288 | insecure.optout.example. 3600 IN SOA {soa} | |
289 | insecure.optout.example. 3600 IN NS ns1.insecure.optout.example. | |
290 | ns1.insecure.optout.example. 3600 IN A {prefix}.15 | |
291 | ||
292 | node1.insecure.optout.example. 3600 IN A 192.0.2.7 | |
293 | """, | |
294 | 'secure.optout.example': """ | |
295 | secure.optout.example. 3600 IN SOA {soa} | |
296 | secure.optout.example. 3600 IN NS ns1.secure.optout.example. | |
297 | ns1.secure.optout.example. 3600 IN A {prefix}.15 | |
298 | ||
299 | node1.secure.optout.example. 3600 IN A 192.0.2.8 | |
3bebf5f0 PL |
300 | """, |
301 | 'islandofsecurity.example': """ | |
302 | islandofsecurity.example. 3600 IN SOA {soa} | |
303 | islandofsecurity.example. 3600 IN NS ns1.islandofsecurity.example. | |
304 | ns1.islandofsecurity.example. 3600 IN A {prefix}.9 | |
305 | ||
306 | node1.islandofsecurity.example. 3600 IN A 192.0.2.20 | |
3a7ddb0b PL |
307 | """, |
308 | 'undelegated.secure.example': """ | |
309 | undelegated.secure.example. 3600 IN SOA {soa} | |
310 | undelegated.secure.example. 3600 IN NS ns1.undelegated.secure.example. | |
311 | ||
312 | node1.undelegated.secure.example. 3600 IN A 192.0.2.21 | |
313 | """, | |
314 | 'undelegated.insecure.example': """ | |
315 | undelegated.insecure.example. 3600 IN SOA {soa} | |
316 | undelegated.insecure.example. 3600 IN NS ns1.undelegated.insecure.example. | |
317 | ||
318 | node1.undelegated.insecure.example. 3600 IN A 192.0.2.22 | |
319 | """, | |
c51c551e | 320 | |
a79f06c4 OM |
321 | 'delay1.example': """ |
322 | delay1.example. 3600 IN SOA {soa} | |
323 | delay1.example. 3600 IN NS n1.delay1.example. | |
324 | ns1.delay1.example. 3600 IN A {prefix}.16 | |
a2f9c045 | 325 | 8.delay1.example. 3600 IN A 192.0.2.100 |
a79f06c4 | 326 | *.delay1.example. 0 LUA TXT ";" "local socket=require('socket')" "socket.sleep(tonumber(qname:getRawLabels()[1])/10)" "return 'a'" |
a2f9c045 | 327 | *.delay1.example. 0 LUA AAAA ";" "local socket=require('socket')" "socket.sleep(tonumber(qname:getRawLabels()[1])/10)" "return '1::2'" |
a79f06c4 OM |
328 | """, |
329 | ||
330 | 'delay2.example': """ | |
331 | delay2.example. 3600 IN SOA {soa} | |
332 | delay2.example. 3600 IN NS n1.delay2.example. | |
333 | ns1.delay2.example. 3600 IN A {prefix}.17 | |
334 | *.delay2.example. 0 LUA TXT ";" "local socket=require('socket')" "socket.sleep(tonumber(qname:getRawLabels()[1])/10)" "return 'a'" | |
c51c551e | 335 | """ |
7568b07d PL |
336 | } |
337 | ||
338 | # The private keys for the zones (note that DS records should go into | |
339 | # the zonecontent in _zones | |
340 | _zone_keys = { | |
341 | 'ROOT': """ | |
342 | Private-key-format: v1.2 | |
343 | Algorithm: 13 (ECDSAP256SHA256) | |
344 | PrivateKey: rhWuEydDz3QaIspSVj683B8Xq5q/ozzA38XUgzD4Fbo= | |
345 | """, | |
346 | ||
347 | 'example': """ | |
348 | Private-key-format: v1.2 | |
349 | Algorithm: 13 (ECDSAP256SHA256) | |
350 | PrivateKey: Lt0v0Gol3pRUFM7fDdcy0IWN0O/MnEmVPA+VylL8Y4U= | |
351 | """, | |
352 | ||
353 | 'secure.example': """ | |
354 | Private-key-format: v1.2 | |
355 | Algorithm: 13 (ECDSAP256SHA256) | |
356 | PrivateKey: 1G4WRoOFJJXk+fotDCHVORtJmIG2OUhKi8AO2jDPGZA= | |
357 | """, | |
358 | ||
359 | 'bogus.example': """ | |
360 | Private-key-format: v1.2 | |
361 | Algorithm: 13 (ECDSAP256SHA256) | |
362 | PrivateKey: f5jV7Q8kd5hDpMWObsuQ6SQda0ftf+JrO3uZwEg6nVw= | |
363 | """, | |
11886ab9 PL |
364 | |
365 | 'optout.example': """ | |
366 | Private-key-format: v1.2 | |
367 | Algorithm: 13 (ECDSAP256SHA256) | |
368 | PrivateKey: efmq9G+J4Y2iPnIBRwJiy6Z/nIHSzpsCy/7XHhlS19A= | |
369 | """, | |
370 | ||
371 | 'secure.optout.example': """ | |
372 | Private-key-format: v1.2 | |
373 | Algorithm: 13 (ECDSAP256SHA256) | |
374 | PrivateKey: xcNUxt1Knj14A00lKQFDboluiJyM2f7FxpgsQaQ3AQ4= | |
3bebf5f0 PL |
375 | """, |
376 | ||
377 | 'islandofsecurity.example': """ | |
378 | Private-key-format: v1.2 | |
379 | Algorithm: 13 (ECDSAP256SHA256) | |
380 | PrivateKey: o9F5iix8V68tnMcuOaM2Lt8XXhIIY//SgHIHEePk6cM= | |
d5b8ccd4 PL |
381 | """, |
382 | ||
383 | 'cname-secure.example': """ | |
384 | Private-key-format: v1.2 | |
385 | Algorithm: 13 (ECDSAP256SHA256) | |
386 | PrivateKey: kvoV/g4IO/tefSro+FLJ5UC7H3BUf0IUtZQSUOfQGyA= | |
9516e835 PL |
387 | """, |
388 | ||
389 | 'dname-secure.example': """ | |
390 | Private-key-format: v1.2 | |
391 | Algorithm: 13 (ECDSAP256SHA256) | |
392 | PrivateKey: Ep9uo6+wwjb4MaOmqq7LHav2FLrjotVOeZg8JT1Qk04= | |
4709a495 OM |
393 | """, |
394 | ||
395 | 'delay1.example': """ | |
396 | Private-key-format: v1.2 | |
397 | Algorithm: 13 (ECDSAP256SHA256) | |
398 | PrivateKey: Ep9uo6+wwjb4MaOmqq7LHav2FLrjotVOeZg8JT1Qk04= | |
399 | """, | |
400 | ||
401 | 'delay2.example': """ | |
402 | Private-key-format: v1.2 | |
403 | Algorithm: 13 (ECDSAP256SHA256) | |
404 | PrivateKey: Ep9uo6+wwjb4MaOmqq7LHav2FLrjotVOeZg8JT1Qk04= | |
d5b8ccd4 | 405 | """ |
7568b07d PL |
406 | } |
407 | ||
408 | # This dict is keyed with the suffix of the IP address and its value | |
409 | # is a list of zones hosted on that IP. Note that delegations should | |
410 | # go into the _zones's zonecontent | |
411 | _auth_zones = { | |
c51c551e OM |
412 | '8': {'threads': 1, |
413 | 'zones': ['ROOT']}, | |
414 | '9': {'threads': 1, | |
415 | 'zones': ['secure.example', 'islandofsecurity.example']}, | |
416 | '10': {'threads': 1, | |
417 | 'zones': ['example']}, | |
4709a495 OM |
418 | |
419 | # 11 is used by CircleCI provided resolver | |
420 | ||
c51c551e OM |
421 | '12': {'threads': 1, |
422 | 'zones': ['bogus.example', 'undelegated.secure.example', 'undelegated.insecure.example']}, | |
423 | '13': {'threads': 1, | |
424 | 'zones': ['insecure.example', 'insecure.sub2.secure.example', 'dname-secure.example']}, | |
425 | '14': {'threads': 1, | |
426 | 'zones': ['optout.example']}, | |
427 | '15': {'threads': 1, | |
428 | 'zones': ['insecure.optout.example', 'secure.optout.example', 'cname-secure.example']}, | |
a79f06c4 OM |
429 | '16': {'threads': 2, |
430 | 'zones': ['delay1.example']}, | |
431 | '17': {'threads': 2, | |
4709a495 OM |
432 | 'zones': ['delay2.example']}, |
433 | '18': {'threads': 1, | |
434 | 'zones': ['example']} | |
7568b07d | 435 | } |
0cfe4767 OM |
436 | # Other IPs used: |
437 | # 2: test_Interop.py | |
438 | # 3-7: free? | |
439 | # 19: free? | |
440 | # 20: free? | |
441 | # 21: test_ECS.py | |
442 | # 22: test_EDNSBuffer.py | |
443 | # 23: test_Lua.py | |
444 | # 24: test_RoutingTag.py | |
7568b07d | 445 | |
cb54e9b5 PL |
446 | _auth_cmd = ['authbind', |
447 | os.environ['PDNS']] | |
448 | _auth_env = {} | |
7568b07d PL |
449 | _auths = {} |
450 | ||
451 | @classmethod | |
452 | def createConfigDir(cls, confdir): | |
453 | try: | |
454 | shutil.rmtree(confdir) | |
455 | except OSError as e: | |
456 | if e.errno != errno.ENOENT: | |
457 | raise | |
7a0ea291 | 458 | os.mkdir(confdir, 0o755) |
7568b07d PL |
459 | |
460 | @classmethod | |
461 | def generateAuthZone(cls, confdir, zonename, zonecontent): | |
462 | with open(os.path.join(confdir, '%s.zone' % zonename), 'w') as zonefile: | |
463 | zonefile.write(zonecontent.format(prefix=cls._PREFIX, soa=cls._SOA)) | |
464 | ||
465 | @classmethod | |
466 | def generateAuthNamedConf(cls, confdir, zones): | |
467 | with open(os.path.join(confdir, 'named.conf'), 'w') as namedconf: | |
468 | namedconf.write(""" | |
469 | options { | |
470 | directory "%s"; | |
471 | };""" % confdir) | |
472 | for zonename in zones: | |
473 | zone = '.' if zonename == 'ROOT' else zonename | |
474 | ||
475 | namedconf.write(""" | |
476 | zone "%s" { | |
477 | type master; | |
478 | file "%s.zone"; | |
479 | };""" % (zone, zonename)) | |
480 | ||
481 | @classmethod | |
c51c551e | 482 | def generateAuthConfig(cls, confdir, threads): |
7568b07d PL |
483 | bind_dnssec_db = os.path.join(confdir, 'bind-dnssec.sqlite3') |
484 | ||
485 | with open(os.path.join(confdir, 'pdns.conf'), 'w') as pdnsconf: | |
486 | pdnsconf.write(""" | |
487 | module-dir=../regression-tests/modules | |
488 | launch=bind | |
489 | daemon=no | |
7568b07d PL |
490 | bind-config={confdir}/named.conf |
491 | bind-dnssec-db={bind_dnssec_db} | |
492 | socket-dir={confdir} | |
493 | cache-ttl=0 | |
494 | negquery-cache-ttl=0 | |
495 | query-cache-ttl=0 | |
496 | log-dns-queries=yes | |
497 | log-dns-details=yes | |
498 | loglevel=9 | |
c51c551e | 499 | enable-lua-records |
9516e835 | 500 | dname-processing=yes |
c51c551e OM |
501 | distributor-threads={threads}""".format(confdir=confdir, |
502 | bind_dnssec_db=bind_dnssec_db, | |
503 | threads=threads)) | |
7568b07d PL |
504 | |
505 | pdnsutilCmd = [os.environ['PDNSUTIL'], | |
506 | '--config-dir=%s' % confdir, | |
507 | 'create-bind-db', | |
508 | bind_dnssec_db] | |
509 | ||
7a0ea291 | 510 | print(' '.join(pdnsutilCmd)) |
7568b07d PL |
511 | try: |
512 | subprocess.check_output(pdnsutilCmd, stderr=subprocess.STDOUT) | |
513 | except subprocess.CalledProcessError as e: | |
ff0bc6a6 | 514 | raise AssertionError('%s failed (%d): %s' % (pdnsutilCmd, e.returncode, e.output)) |
7568b07d PL |
515 | |
516 | @classmethod | |
517 | def secureZone(cls, confdir, zonename, key=None): | |
518 | zone = '.' if zonename == 'ROOT' else zonename | |
519 | if not key: | |
520 | pdnsutilCmd = [os.environ['PDNSUTIL'], | |
521 | '--config-dir=%s' % confdir, | |
522 | 'secure-zone', | |
523 | zone] | |
524 | else: | |
525 | keyfile = os.path.join(confdir, 'dnssec.key') | |
526 | with open(keyfile, 'w') as fdKeyfile: | |
527 | fdKeyfile.write(key) | |
528 | ||
529 | pdnsutilCmd = [os.environ['PDNSUTIL'], | |
530 | '--config-dir=%s' % confdir, | |
531 | 'import-zone-key', | |
532 | zone, | |
533 | keyfile, | |
534 | 'active', | |
535 | 'ksk'] | |
536 | ||
7a0ea291 | 537 | print(' '.join(pdnsutilCmd)) |
7568b07d PL |
538 | try: |
539 | subprocess.check_output(pdnsutilCmd, stderr=subprocess.STDOUT) | |
540 | except subprocess.CalledProcessError as e: | |
ff0bc6a6 | 541 | raise AssertionError('%s failed (%d): %s' % (pdnsutilCmd, e.returncode, e.output)) |
7568b07d PL |
542 | |
543 | @classmethod | |
544 | def generateAllAuthConfig(cls, confdir): | |
545 | if cls._auth_zones: | |
c51c551e OM |
546 | for auth_suffix, zoneinfo in cls._auth_zones.items(): |
547 | threads = zoneinfo['threads'] | |
548 | zones = zoneinfo['zones'] | |
7568b07d PL |
549 | authconfdir = os.path.join(confdir, 'auth-%s' % auth_suffix) |
550 | ||
551 | os.mkdir(authconfdir) | |
552 | ||
c51c551e | 553 | cls.generateAuthConfig(authconfdir, threads) |
7568b07d PL |
554 | cls.generateAuthNamedConf(authconfdir, zones) |
555 | ||
11886ab9 PL |
556 | for zone in zones: |
557 | cls.generateAuthZone(authconfdir, | |
558 | zone, | |
559 | cls._zones[zone]) | |
560 | if cls._zone_keys.get(zone, None): | |
561 | cls.secureZone(authconfdir, zone, cls._zone_keys.get(zone)) | |
7568b07d PL |
562 | |
563 | @classmethod | |
564 | def startAllAuth(cls, confdir): | |
565 | if cls._auth_zones: | |
566 | for auth_suffix, _ in cls._auth_zones.items(): | |
567 | authconfdir = os.path.join(confdir, 'auth-%s' % auth_suffix) | |
568 | ipaddress = cls._PREFIX + '.' + auth_suffix | |
569 | cls.startAuth(authconfdir, ipaddress) | |
570 | ||
70542ce3 O |
571 | @classmethod |
572 | def waitForTCPSocket(cls, ipaddress, port): | |
573 | for try_number in range(0, 100): | |
574 | try: | |
575 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
b7bb0ed5 | 576 | sock.settimeout(1.0) |
70542ce3 O |
577 | sock.connect((ipaddress, port)) |
578 | sock.close() | |
579 | return | |
580 | except Exception as err: | |
581 | if err.errno != errno.ECONNREFUSED: | |
582 | print(f'Error occurred: {try_number} {err}', file=sys.stderr) | |
583 | time.sleep(0.1) | |
584 | ||
7568b07d PL |
585 | @classmethod |
586 | def startAuth(cls, confdir, ipaddress): | |
587 | print("Launching pdns_server..") | |
11886ab9 | 588 | authcmd = list(cls._auth_cmd) |
cb54e9b5 | 589 | authcmd.append('--config-dir=%s' % confdir) |
2d0fc474 O |
590 | ipconfig = ipaddress |
591 | # auth-8 is the auth serving the root, it gets an ipv6 address | |
592 | if (confdir[-6:] == "auth-8") and have_ipv6(): | |
593 | ipconfig += ',::1' | |
594 | authcmd.append('--local-address=%s' % ipconfig) | |
7568b07d PL |
595 | print(' '.join(authcmd)) |
596 | ||
597 | logFile = os.path.join(confdir, 'pdns.log') | |
598 | with open(logFile, 'w') as fdLog: | |
599 | cls._auths[ipaddress] = subprocess.Popen(authcmd, close_fds=True, | |
cb54e9b5 PL |
600 | stdout=fdLog, stderr=fdLog, |
601 | env=cls._auth_env) | |
7568b07d | 602 | |
70542ce3 | 603 | cls.waitForTCPSocket(ipaddress, 53) |
7568b07d PL |
604 | |
605 | if cls._auths[ipaddress].poll() is not None: | |
32a17637 OM |
606 | print(f"\n*** startAuth log for {logFile} ***") |
607 | with open(logFile, 'r') as fdLog: | |
608 | print(fdLog.read()) | |
609 | print(f"*** End startAuth log for {logFile} ***") | |
610 | raise AssertionError('%s failed (%d)' % (authcmd, cls._auths[ipaddress].returncode)) | |
7568b07d PL |
611 | |
612 | @classmethod | |
613 | def generateRecursorConfig(cls, confdir): | |
614 | params = tuple([getattr(cls, param) for param in cls._config_params]) | |
615 | if len(params): | |
616 | print(params) | |
617 | ||
618 | recursorconf = os.path.join(confdir, 'recursor.conf') | |
619 | ||
620 | with open(recursorconf, 'w') as conf: | |
621 | conf.write("# Autogenerated by recursortests.py\n") | |
622 | conf.write(cls._config_template_default) | |
623 | conf.write(cls._config_template % params) | |
624 | conf.write("\n") | |
625 | conf.write("socket-dir=%s\n" % confdir) | |
626 | if cls._lua_config_file or cls._root_DS: | |
627 | luaconfpath = os.path.join(confdir, 'conffile.lua') | |
628 | with open(luaconfpath, 'w') as luaconf: | |
629 | if cls._root_DS: | |
8f29eeaa | 630 | luaconf.write("addTA('.', '%s')\n" % cls._root_DS) |
7568b07d PL |
631 | if cls._lua_config_file: |
632 | luaconf.write(cls._lua_config_file) | |
633 | conf.write("lua-config-file=%s\n" % luaconfpath) | |
18e0e4df RG |
634 | if cls._lua_dns_script_file: |
635 | luascriptpath = os.path.join(confdir, 'dnsscript.lua') | |
636 | with open(luascriptpath, 'w') as luascript: | |
637 | luascript.write(cls._lua_dns_script_file) | |
638 | conf.write("lua-dns-script=%s\n" % luascriptpath) | |
7568b07d PL |
639 | if cls._roothints: |
640 | roothintspath = os.path.join(confdir, 'root.hints') | |
641 | with open(roothintspath, 'w') as roothints: | |
642 | roothints.write(cls._roothints) | |
643 | conf.write("hint-file=%s\n" % roothintspath) | |
644 | ||
9883d3f9 OM |
645 | @classmethod |
646 | def generateRecursorYamlConfig(cls, confdir): | |
647 | params = tuple([getattr(cls, param) for param in cls._config_params]) | |
648 | if len(params): | |
649 | print(params) | |
650 | ||
651 | recursorconf = os.path.join(confdir, 'recursor.yml') | |
652 | ||
653 | with open(recursorconf, 'w') as conf: | |
654 | conf.write("# Autogenerated by recursortests.py\n") | |
655 | conf.write(cls._config_template_yaml_default % confdir) | |
656 | recursorconf = os.path.join(confdir, 'recursor01.yml') | |
657 | with open(recursorconf, 'w') as conf: | |
658 | conf.write(cls._config_template % params) | |
659 | conf.write("\n") | |
660 | recursorconf = os.path.join(confdir, 'recursor02.yml') | |
661 | with open(recursorconf, 'w') as conf: | |
662 | conf.write("recursor:\n") | |
663 | conf.write(" socket_dir: %s\n" % confdir) | |
664 | if cls._lua_config_file or cls._root_DS: | |
665 | luaconfpath = os.path.join(confdir, 'conffile.lua') | |
666 | with open(luaconfpath, 'w') as luaconf: | |
667 | if cls._root_DS: | |
668 | luaconf.write("addTA('.', '%s')\n" % cls._root_DS) | |
669 | if cls._lua_config_file: | |
670 | luaconf.write(cls._lua_config_file) | |
671 | conf.write(" lua_config_file: %s\n" % luaconfpath) | |
672 | if cls._lua_dns_script_file: | |
673 | luascriptpath = os.path.join(confdir, 'dnsscript.lua') | |
674 | with open(luascriptpath, 'w') as luascript: | |
675 | luascript.write(cls._lua_dns_script_file) | |
676 | conf.write(" lua_dns_script: %s\n" % luascriptpath) | |
677 | if cls._roothints: | |
678 | roothintspath = os.path.join(confdir, 'root.hints') | |
679 | with open(roothintspath, 'w') as roothints: | |
680 | roothints.write(cls._roothints) | |
681 | conf.write(" hint_file: %s\n" % roothintspath) | |
682 | ||
962a980d PL |
683 | @classmethod |
684 | def startResponders(cls): | |
685 | pass | |
686 | ||
7568b07d PL |
687 | @classmethod |
688 | def startRecursor(cls, confdir, port): | |
689 | print("Launching pdns_recursor..") | |
690 | recursorcmd = [os.environ['PDNSRECURSOR'], | |
691 | '--config-dir=%s' % confdir, | |
962a980d PL |
692 | '--local-port=%s' % port, |
693 | '--security-poll-suffix='] | |
7568b07d PL |
694 | print(' '.join(recursorcmd)) |
695 | ||
696 | logFile = os.path.join(confdir, 'recursor.log') | |
697 | with open(logFile, 'w') as fdLog: | |
698 | cls._recursor = subprocess.Popen(recursorcmd, close_fds=True, | |
699 | stdout=fdLog, stderr=fdLog) | |
700 | ||
70542ce3 | 701 | cls.waitForTCPSocket("127.0.0.1", port) |
7568b07d PL |
702 | |
703 | if cls._recursor.poll() is not None: | |
32a17637 OM |
704 | print(f"\n*** startRecursor log for {logFile} ***") |
705 | with open(logFile, 'r') as fdLog: | |
706 | print(fdLog.read()) | |
707 | print(f"*** End startRecursor log for {logFile} ***") | |
ff84d74b | 708 | raise AssertionError('%s failed (%d)' % (recursorcmd, cls._recursor.returncode)) |
7568b07d PL |
709 | |
710 | @classmethod | |
7d3d2f4f | 711 | def wipeRecursorCache(cls, confdir, name='.$'): |
7568b07d PL |
712 | rec_controlCmd = [os.environ['RECCONTROL'], |
713 | '--config-dir=%s' % confdir, | |
714 | 'wipe-cache', | |
7d3d2f4f | 715 | name] |
7568b07d PL |
716 | try: |
717 | subprocess.check_output(rec_controlCmd, stderr=subprocess.STDOUT) | |
718 | except subprocess.CalledProcessError as e: | |
ff0bc6a6 | 719 | raise AssertionError('%s failed (%d): %s' % (rec_controlCmd, e.returncode, e.output)) |
7568b07d PL |
720 | |
721 | @classmethod | |
722 | def setUpSockets(cls): | |
723 | print("Setting up UDP socket..") | |
724 | cls._sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) | |
725 | cls._sock.settimeout(2.0) | |
726 | cls._sock.connect(("127.0.0.1", cls._recursorPort)) | |
727 | ||
728 | @classmethod | |
729 | def setUpClass(cls): | |
730 | cls.setUpSockets() | |
962a980d PL |
731 | |
732 | cls.startResponders() | |
733 | ||
7568b07d PL |
734 | confdir = os.path.join('configs', cls._confdir) |
735 | cls.createConfigDir(confdir) | |
736 | cls.generateAllAuthConfig(confdir) | |
737 | cls.startAllAuth(confdir) | |
738 | ||
739 | cls.generateRecursorConfig(confdir) | |
740 | cls.startRecursor(confdir, cls._recursorPort) | |
741 | ||
742 | print("Launching tests..") | |
743 | ||
744 | @classmethod | |
745 | def tearDownClass(cls): | |
746 | cls.tearDownRecursor() | |
747 | cls.tearDownAuth() | |
962a980d PL |
748 | cls.tearDownResponders() |
749 | ||
750 | @classmethod | |
751 | def tearDownResponders(cls): | |
752 | pass | |
7568b07d PL |
753 | |
754 | @classmethod | |
70542ce3 | 755 | def killProcess(cls, p): |
32a17637 OM |
756 | # Don't try to kill it if it's already dead |
757 | if p.poll() is not None: | |
758 | return | |
7568b07d | 759 | try: |
70542ce3 O |
760 | p.terminate() |
761 | for count in range(10): | |
762 | x = p.poll() | |
763 | if x is not None: | |
764 | break | |
765 | time.sleep(0.1) | |
766 | if x is None: | |
767 | print("kill...", p, file=sys.stderr) | |
768 | p.kill() | |
769 | p.wait() | |
7568b07d PL |
770 | except OSError as e: |
771 | # There is a race-condition with the poll() and | |
772 | # kill() statements, when the process is dead on the | |
773 | # kill(), this is fine | |
774 | if e.errno != errno.ESRCH: | |
775 | raise | |
776 | ||
70542ce3 O |
777 | @classmethod |
778 | def tearDownAuth(cls): | |
779 | for _, auth in cls._auths.items(): | |
780 | cls.killProcess(auth); | |
781 | ||
782 | @classmethod | |
783 | def tearDownRecursor(cls): | |
784 | cls.killProcess(cls._recursor) | |
785 | ||
7568b07d | 786 | @classmethod |
fb611f07 | 787 | def sendUDPQuery(cls, query, timeout=2.0, decode=True, fwparams=dict()): |
7568b07d PL |
788 | if timeout: |
789 | cls._sock.settimeout(timeout) | |
790 | ||
791 | try: | |
792 | cls._sock.send(query.to_wire()) | |
793 | data = cls._sock.recv(4096) | |
794 | except socket.timeout: | |
795 | data = None | |
796 | finally: | |
797 | if timeout: | |
798 | cls._sock.settimeout(None) | |
799 | ||
800 | message = None | |
801 | if data: | |
fb611f07 RG |
802 | if not decode: |
803 | return data | |
554c69f9 | 804 | message = dns.message.from_wire(data, **fwparams) |
7568b07d PL |
805 | return message |
806 | ||
807 | @classmethod | |
808 | def sendTCPQuery(cls, query, timeout=2.0): | |
809 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
810 | if timeout: | |
811 | sock.settimeout(timeout) | |
812 | ||
813 | sock.connect(("127.0.0.1", cls._recursorPort)) | |
814 | ||
815 | try: | |
816 | wire = query.to_wire() | |
817 | sock.send(struct.pack("!H", len(wire))) | |
818 | sock.send(wire) | |
819 | data = sock.recv(2) | |
820 | if data: | |
821 | (datalen,) = struct.unpack("!H", data) | |
822 | data = sock.recv(datalen) | |
823 | except socket.timeout as e: | |
824 | print("Timeout: %s" % (str(e))) | |
825 | data = None | |
826 | except socket.error as e: | |
827 | print("Network error: %s" % (str(e))) | |
828 | data = None | |
829 | finally: | |
830 | sock.close() | |
831 | ||
832 | message = None | |
833 | if data: | |
834 | message = dns.message.from_wire(data) | |
835 | return message | |
836 | ||
c51c551e OM |
837 | @classmethod |
838 | def sendTCPQueries(cls, queries, timeout=2.0): | |
839 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
840 | if timeout: | |
841 | sock.settimeout(timeout) | |
842 | ||
843 | sock.connect(("127.0.0.1", cls._recursorPort)) | |
844 | data = [] | |
845 | try: | |
846 | for query in queries: | |
847 | wire = query.to_wire() | |
848 | sock.send(struct.pack("!H", len(wire))) | |
849 | sock.send(wire) | |
850 | for i in range(len(queries)): | |
851 | try: | |
852 | datalen = sock.recv(2) | |
853 | if datalen: | |
854 | (datalen,) = struct.unpack("!H", datalen) | |
855 | data.append(sock.recv(datalen)) | |
856 | except socket.timeout as e: | |
857 | continue | |
858 | except socket.error as e: | |
859 | print("Network error: %s" % (str(e))) | |
860 | data = None | |
861 | finally: | |
862 | sock.close() | |
863 | ||
864 | messages = [] | |
865 | for d in data: | |
866 | messages.append(dns.message.from_wire(d)) | |
867 | return messages | |
868 | ||
7568b07d PL |
869 | def setUp(self): |
870 | # This function is called before every tests | |
753a8109 | 871 | super(RecursorTest, self).setUp() |
7568b07d PL |
872 | |
873 | ## Functions for comparisons | |
874 | def assertMessageHasFlags(self, msg, flags, ednsflags=[]): | |
875 | """Asserts that msg has all the flags from flags set | |
876 | ||
877 | @param msg: the dns.message.Message to check | |
878 | @param flags: a list of strings with flag mnemonics (like ['RD', 'RA']) | |
879 | @param ednsflags: a list of strings with edns-flag mnemonics (like ['DO'])""" | |
880 | ||
881 | if not isinstance(msg, dns.message.Message): | |
882 | raise TypeError("msg is not a dns.message.Message") | |
883 | ||
884 | if isinstance(flags, list): | |
885 | for elem in flags: | |
886 | if not isinstance(elem, str): | |
887 | raise TypeError("flags is not a list of strings") | |
888 | else: | |
889 | raise TypeError("flags is not a list of strings") | |
890 | ||
891 | if isinstance(ednsflags, list): | |
892 | for elem in ednsflags: | |
893 | if not isinstance(elem, str): | |
894 | raise TypeError("ednsflags is not a list of strings") | |
895 | else: | |
896 | raise TypeError("ednsflags is not a list of strings") | |
897 | ||
898 | msgFlags = dns.flags.to_text(msg.flags).split() | |
899 | missingFlags = [flag for flag in flags if flag not in msgFlags] | |
900 | ||
8b16b9c2 | 901 | msgEdnsFlags = dns.flags.edns_to_text(msg.ednsflags).split() |
7568b07d PL |
902 | missingEdnsFlags = [ednsflag for ednsflag in ednsflags if ednsflag not in msgEdnsFlags] |
903 | ||
904 | if len(missingFlags) or len(missingEdnsFlags) or len(msgFlags) > len(flags): | |
905 | raise AssertionError("Expected flags '%s' (EDNS: '%s'), found '%s' (EDNS: '%s') in query %s" % | |
906 | (' '.join(flags), ' '.join(ednsflags), | |
907 | ' '.join(msgFlags), ' '.join(msgEdnsFlags), | |
908 | msg.question[0])) | |
909 | ||
910 | def assertMessageIsAuthenticated(self, msg): | |
911 | """Asserts that the message has the AD bit set | |
912 | ||
913 | @param msg: the dns.message.Message to check""" | |
914 | ||
915 | if not isinstance(msg, dns.message.Message): | |
916 | raise TypeError("msg is not a dns.message.Message") | |
917 | ||
918 | msgFlags = dns.flags.to_text(msg.flags) | |
919 | self.assertTrue('AD' in msgFlags, "No AD flag found in the message for %s" % msg.question[0].name) | |
920 | ||
921 | def assertRRsetInAnswer(self, msg, rrset): | |
922 | """Asserts the rrset (without comparing TTL) exists in the | |
923 | answer section of msg | |
924 | ||
925 | @param msg: the dns.message.Message to check | |
926 | @param rrset: a dns.rrset.RRset object""" | |
927 | ||
928 | ret = '' | |
929 | if not isinstance(msg, dns.message.Message): | |
930 | raise TypeError("msg is not a dns.message.Message") | |
931 | ||
932 | if not isinstance(rrset, dns.rrset.RRset): | |
933 | raise TypeError("rrset is not a dns.rrset.RRset") | |
934 | ||
935 | found = False | |
936 | for ans in msg.answer: | |
937 | ret += "%s\n" % ans.to_text() | |
938 | if ans.match(rrset.name, rrset.rdclass, rrset.rdtype, 0, None): | |
de9650d1 | 939 | self.assertEqual(ans, rrset, "'%s' != '%s'" % (ans.to_text(), rrset.to_text())) |
7568b07d PL |
940 | found = True |
941 | ||
942 | if not found: | |
6552b37b | 943 | raise AssertionError("RRset not found in answer\n\n%s" % ret) |
7568b07d | 944 | |
1fc89740 OM |
945 | def assertRRsetInAdditional(self, msg, rrset): |
946 | """Asserts the rrset (without comparing TTL) exists in the | |
947 | additional section of msg | |
948 | ||
949 | @param msg: the dns.message.Message to check | |
950 | @param rrset: a dns.rrset.RRset object""" | |
951 | ||
952 | ret = '' | |
953 | if not isinstance(msg, dns.message.Message): | |
954 | raise TypeError("msg is not a dns.message.Message") | |
955 | ||
956 | if not isinstance(rrset, dns.rrset.RRset): | |
957 | raise TypeError("rrset is not a dns.rrset.RRset") | |
958 | ||
959 | found = False | |
960 | for ans in msg.additional: | |
961 | ret += "%s\n" % ans.to_text() | |
962 | if ans.match(rrset.name, rrset.rdclass, rrset.rdtype, 0, None): | |
963 | self.assertEqual(ans, rrset, "'%s' != '%s'" % (ans.to_text(), rrset.to_text())) | |
964 | found = True | |
965 | ||
966 | if not found: | |
967 | raise AssertionError("RRset not found in additional section\n\n%s" % ret) | |
968 | ||
7568b07d PL |
969 | def assertMatchingRRSIGInAnswer(self, msg, coveredRRset, keys=None): |
970 | """Looks for coveredRRset in the answer section and if there is an RRSIG RRset | |
971 | that covers that RRset. If keys is not None, this function will also try to | |
972 | validate the RRset against the RRSIG | |
973 | ||
974 | @param msg: The dns.message.Message to check | |
975 | @param coveredRRset: The RRSet to check for | |
976 | @param keys: a dictionary keyed by dns.name.Name with node or rdataset values to use for validation""" | |
977 | ||
978 | if not isinstance(msg, dns.message.Message): | |
979 | raise TypeError("msg is not a dns.message.Message") | |
980 | ||
981 | if not isinstance(coveredRRset, dns.rrset.RRset): | |
982 | raise TypeError("coveredRRset is not a dns.rrset.RRset") | |
983 | ||
984 | msgRRsigRRSet = None | |
985 | msgRRSet = None | |
986 | ||
987 | ret = '' | |
988 | for ans in msg.answer: | |
989 | ret += ans.to_text() + "\n" | |
990 | ||
991 | if ans.match(coveredRRset.name, coveredRRset.rdclass, coveredRRset.rdtype, 0, None): | |
992 | msgRRSet = ans | |
993 | if ans.match(coveredRRset.name, dns.rdataclass.IN, dns.rdatatype.RRSIG, coveredRRset.rdtype, None): | |
994 | msgRRsigRRSet = ans | |
995 | if msgRRSet and msgRRsigRRSet: | |
996 | break | |
997 | ||
998 | if not msgRRSet: | |
999 | raise AssertionError("RRset for '%s' not found in answer" % msg.question[0].to_text()) | |
1000 | ||
1001 | if not msgRRsigRRSet: | |
1002 | raise AssertionError("No RRSIGs found in answer for %s:\nFull answer:\n%s" % (msg.question[0].to_text(), ret)) | |
1003 | ||
1004 | if keys: | |
1005 | try: | |
1006 | dns.dnssec.validate(msgRRSet, msgRRsigRRSet.to_rdataset(), keys) | |
1007 | except dns.dnssec.ValidationFailure as e: | |
1008 | raise AssertionError("Signature validation failed for %s:\n%s" % (msg.question[0].to_text(), e)) | |
1009 | ||
1fc89740 OM |
1010 | def assertMatchingRRSIGInAdditional(self, msg, coveredRRset, keys=None): |
1011 | """Looks for coveredRRset in the additional section and if there is an RRSIG RRset | |
1012 | that covers that RRset. If keys is not None, this function will also try to | |
1013 | validate the RRset against the RRSIG | |
1014 | ||
1015 | @param msg: The dns.message.Message to check | |
1016 | @param coveredRRset: The RRSet to check for | |
1017 | @param keys: a dictionary keyed by dns.name.Name with node or rdataset values to use for validation""" | |
1018 | ||
1019 | if not isinstance(msg, dns.message.Message): | |
1020 | raise TypeError("msg is not a dns.message.Message") | |
1021 | ||
1022 | if not isinstance(coveredRRset, dns.rrset.RRset): | |
1023 | raise TypeError("coveredRRset is not a dns.rrset.RRset") | |
1024 | ||
1025 | msgRRsigRRSet = None | |
1026 | msgRRSet = None | |
1027 | ||
1028 | ret = '' | |
1029 | for ans in msg.additional: | |
1030 | ret += ans.to_text() + "\n" | |
1031 | ||
1032 | if ans.match(coveredRRset.name, coveredRRset.rdclass, coveredRRset.rdtype, 0, None): | |
1033 | msgRRSet = ans | |
1034 | if ans.match(coveredRRset.name, dns.rdataclass.IN, dns.rdatatype.RRSIG, coveredRRset.rdtype, None): | |
1035 | msgRRsigRRSet = ans | |
1036 | if msgRRSet and msgRRsigRRSet: | |
1037 | break | |
1038 | ||
1039 | if not msgRRSet: | |
1040 | raise AssertionError("RRset for '%s' not found in additional" % msg.question[0].to_text()) | |
1041 | ||
1042 | if not msgRRsigRRSet: | |
1043 | raise AssertionError("No RRSIGs found in additional for %s:\nFull answer:\n%s" % (msg.question[0].to_text(), ret)) | |
1044 | ||
1045 | if keys: | |
1046 | try: | |
1047 | dns.dnssec.validate(msgRRSet, msgRRsigRRSet.to_rdataset(), keys) | |
1048 | except dns.dnssec.ValidationFailure as e: | |
1049 | raise AssertionError("Signature validation failed for %s:\n%s" % (msg.question[0].to_text(), e)) | |
1050 | ||
7568b07d PL |
1051 | def assertNoRRSIGsInAnswer(self, msg): |
1052 | """Checks if there are _no_ RRSIGs in the answer section of msg""" | |
1053 | ||
1054 | if not isinstance(msg, dns.message.Message): | |
1055 | raise TypeError("msg is not a dns.message.Message") | |
1056 | ||
1057 | ret = "" | |
1058 | for ans in msg.answer: | |
1059 | if ans.rdtype == dns.rdatatype.RRSIG: | |
1060 | ret += ans.name.to_text() + "\n" | |
1061 | ||
1062 | if len(ret): | |
1063 | raise AssertionError("RRSIG found in answers for:\n%s" % ret) | |
1064 | ||
1065 | def assertAnswerEmpty(self, msg): | |
1066 | self.assertTrue(len(msg.answer) == 0, "Data found in the the answer section for %s:\n%s" % (msg.question[0].to_text(), '\n'.join([i.to_text() for i in msg.answer]))) | |
1067 | ||
1fc89740 OM |
1068 | def assertAdditionalEmpty(self, msg): |
1069 | self.assertTrue(len(msg.additional) == 0, "Data found in the the additional section for %s:\n%s" % (msg.question[0].to_text(), '\n'.join([i.to_text() for i in msg.additional]))) | |
1070 | ||
7568b07d PL |
1071 | def assertRcodeEqual(self, msg, rcode): |
1072 | if not isinstance(msg, dns.message.Message): | |
1073 | raise TypeError("msg is not a dns.message.Message but a %s" % type(msg)) | |
1074 | ||
1075 | if not isinstance(rcode, int): | |
1076 | if isinstance(rcode, str): | |
1077 | rcode = dns.rcode.from_text(rcode) | |
1078 | else: | |
1079 | raise TypeError("rcode is neither a str nor int") | |
1080 | ||
1081 | if msg.rcode() != rcode: | |
3d144e24 PD |
1082 | msgRcode = dns.rcode.to_text(msg.rcode()) |
1083 | wantedRcode = dns.rcode.to_text(rcode) | |
7568b07d PL |
1084 | |
1085 | raise AssertionError("Rcode for %s is %s, expected %s." % (msg.question[0].to_text(), msgRcode, wantedRcode)) | |
05537f80 PL |
1086 | |
1087 | def assertAuthorityHasSOA(self, msg): | |
1088 | if not isinstance(msg, dns.message.Message): | |
1089 | raise TypeError("msg is not a dns.message.Message but a %s" % type(msg)) | |
1090 | ||
1091 | found = False | |
1092 | for rrset in msg.authority: | |
1093 | if rrset.rdtype == dns.rdatatype.SOA: | |
1094 | found = True | |
1095 | break | |
1096 | ||
1097 | if not found: | |
1098 | raise AssertionError("No SOA record found in the authority section:\n%s" % msg.to_text()) | |
f3f19ebe PL |
1099 | |
1100 | def assertResponseMatches(self, query, expectedRRs, response): | |
1101 | expectedResponse = dns.message.make_response(query) | |
1102 | ||
1103 | if query.flags & dns.flags.RD: | |
1104 | expectedResponse.flags |= dns.flags.RA | |
1105 | if query.flags & dns.flags.CD: | |
1106 | expectedResponse.flags |= dns.flags.CD | |
1107 | ||
1108 | expectedResponse.answer = expectedRRs | |
1109 | print(expectedResponse) | |
1110 | print(response) | |
4bfebc93 | 1111 | self.assertEqual(response, expectedResponse) |
c5b0071d RG |
1112 | |
1113 | @classmethod | |
1114 | def sendQuery(cls, name, rdtype, useTCP=False): | |
1115 | """Helper function that creates the query""" | |
1116 | msg = dns.message.make_query(name, rdtype, want_dnssec=True) | |
1117 | msg.flags |= dns.flags.AD | |
1118 | ||
1119 | if useTCP: | |
1120 | return cls.sendTCPQuery(msg) | |
1121 | return cls.sendUDPQuery(msg) | |
1122 | ||
1123 | def createQuery(self, name, rdtype, flags, ednsflags): | |
1124 | """Helper function that creates the query with the specified flags. | |
1125 | The flags need to be strings (no checking is performed atm)""" | |
1126 | msg = dns.message.make_query(name, rdtype) | |
1127 | msg.flags = dns.flags.from_text(flags) | |
1128 | msg.flags += dns.flags.from_text('RD') | |
1129 | msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text(ednsflags)) | |
1130 | return msg | |
9166ee1b RG |
1131 | |
1132 | @classmethod | |
1133 | def sendUDPQueryWithProxyProtocol(cls, query, v6, source, destination, sourcePort, destinationPort, values=[], timeout=2.0): | |
1134 | queryPayload = query.to_wire() | |
1135 | ppPayload = ProxyProtocol.getPayload(False, False, v6, source, destination, sourcePort, destinationPort, values) | |
1136 | payload = ppPayload + queryPayload | |
1137 | ||
1138 | if timeout: | |
1139 | cls._sock.settimeout(timeout) | |
1140 | ||
1141 | try: | |
1142 | cls._sock.send(payload) | |
1143 | data = cls._sock.recv(4096) | |
1144 | except socket.timeout: | |
1145 | data = None | |
1146 | finally: | |
1147 | if timeout: | |
1148 | cls._sock.settimeout(None) | |
1149 | ||
1150 | message = None | |
1151 | if data: | |
1152 | message = dns.message.from_wire(data) | |
1153 | return message | |
1154 | ||
1155 | @classmethod | |
1156 | def sendTCPQueryWithProxyProtocol(cls, query, v6, source, destination, sourcePort, destinationPort, values=[], timeout=2.0): | |
1157 | queryPayload = query.to_wire() | |
1158 | ppPayload = ProxyProtocol.getPayload(False, False, v6, source, destination, sourcePort, destinationPort, values) | |
1159 | ||
1160 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
1161 | if timeout: | |
1162 | sock.settimeout(timeout) | |
1163 | ||
1164 | sock.connect(("127.0.0.1", cls._recursorPort)) | |
1165 | ||
1166 | try: | |
1167 | sock.send(ppPayload) | |
1168 | sock.send(struct.pack("!H", len(queryPayload))) | |
1169 | sock.send(queryPayload) | |
1170 | data = sock.recv(2) | |
1171 | if data: | |
1172 | (datalen,) = struct.unpack("!H", data) | |
1173 | data = sock.recv(datalen) | |
1174 | except socket.timeout as e: | |
1175 | print("Timeout: %s" % (str(e))) | |
1176 | data = None | |
1177 | except socket.error as e: | |
1178 | print("Network error: %s" % (str(e))) | |
1179 | data = None | |
1180 | finally: | |
1181 | sock.close() | |
1182 | ||
1183 | message = None | |
1184 | if data: | |
1185 | message = dns.message.from_wire(data) | |
1186 | return message |