]>
Commit | Line | Data |
---|---|---|
faa3b298 PL |
1 | import dns |
2 | from recursortests import RecursorTest | |
3 | ||
4 | class testSimple(RecursorTest): | |
5 | _confdir = 'NTA' | |
6 | ||
7 | _config_template = """dnssec=validate""" | |
b9173568 PL |
8 | _lua_config_file = """addNTA("bogus.example") |
9 | addNTA('secure.optout.example', 'Should be Insecure, even with DS configured') | |
8f29eeaa | 10 | addTA('secure.optout.example', '64215 13 1 b88284d7a8d8605c398e8942262f97b9a5a31787')""" |
faa3b298 PL |
11 | |
12 | def testDirectNTA(self): | |
13 | """Ensure a direct query to a bogus name with an NTA is Insecure""" | |
14 | ||
15 | msg = dns.message.make_query("ted.bogus.example.", dns.rdatatype.A) | |
16 | msg.flags = dns.flags.from_text('AD RD') | |
17 | msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO')) | |
18 | ||
19 | res = self.sendUDPQuery(msg) | |
20 | ||
21 | self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO']) | |
22 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
23 | ||
24 | def testCNAMENTA(self): | |
25 | """Ensure a CNAME from a secure zone to a bogus one with an NTA is Insecure""" | |
26 | msg = dns.message.make_query("cname-to-bogus.secure.example.", dns.rdatatype.A) | |
27 | msg.flags = dns.flags.from_text('AD RD') | |
28 | msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO')) | |
29 | ||
30 | res = self.sendUDPQuery(msg) | |
31 | ||
32 | self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO']) | |
33 | self.assertRcodeEqual(res, dns.rcode.NOERROR) | |
b9173568 PL |
34 | |
35 | def testSecureWithNTAandDS(self): | |
36 | """#4391: when there is a TA *and* NTA configured for a name, the result must be insecure""" | |
37 | msg = dns.message.make_query("node1.secure.optout.example.", dns.rdatatype.A) | |
38 | msg.flags = dns.flags.from_text('AD RD') | |
39 | msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO')) | |
40 | ||
41 | res = self.sendUDPQuery(msg) | |
42 | ||
43 | self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO']) | |
44 | self.assertRcodeEqual(res, dns.rcode.NOERROR) |