1 #define BOOST_TEST_DYN_LINK
2 #include <boost/test/unit_test.hpp>
4 #include "test-syncres_cc.hh"
6 BOOST_AUTO_TEST_SUITE(syncres_cc4
)
8 BOOST_AUTO_TEST_CASE(test_auth_zone_nodata
)
10 std::unique_ptr
<SyncRes
> sr
;
15 size_t queriesCount
= 0;
16 const DNSName
target("nodata.powerdns.com.");
17 const DNSName
authZone("powerdns.com");
19 SyncRes::AuthDomain ad
;
22 dr
.d_place
= DNSResourceRecord::ANSWER
;
26 dr
.d_content
= std::make_shared
<ARecordContent
>(ComboAddress("192.0.2.1"));
27 ad
.d_records
.insert(dr
);
29 dr
.d_place
= DNSResourceRecord::ANSWER
;
31 dr
.d_type
= QType::SOA
;
33 dr
.d_content
= std::make_shared
<SOARecordContent
>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
34 ad
.d_records
.insert(dr
);
36 auto map
= std::make_shared
<SyncRes::domainmap_t
>();
37 (*map
)[authZone
] = ad
;
38 SyncRes::setDomainMap(map
);
40 sr
->setAsyncCallback([&queriesCount
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
43 return LWResult::Result::Timeout
;
46 vector
<DNSRecord
> ret
;
47 int res
= sr
->beginResolve(target
, QType(QType::AAAA
), QClass::IN
, ret
);
48 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
49 BOOST_REQUIRE_EQUAL(ret
.size(), 1U);
50 BOOST_CHECK(ret
[0].d_type
== QType::SOA
);
51 BOOST_CHECK_EQUAL(queriesCount
, 0U);
54 BOOST_AUTO_TEST_CASE(test_auth_zone_nx
)
56 std::unique_ptr
<SyncRes
> sr
;
61 size_t queriesCount
= 0;
62 const DNSName
target("nx.powerdns.com.");
63 const DNSName
authZone("powerdns.com");
65 SyncRes::AuthDomain ad
;
68 dr
.d_place
= DNSResourceRecord::ANSWER
;
69 dr
.d_name
= DNSName("powerdns.com.");
70 dr
.d_type
= QType::SOA
;
72 dr
.d_content
= std::make_shared
<SOARecordContent
>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
73 ad
.d_records
.insert(dr
);
75 auto map
= std::make_shared
<SyncRes::domainmap_t
>();
76 (*map
)[authZone
] = ad
;
77 SyncRes::setDomainMap(map
);
79 sr
->setAsyncCallback([&queriesCount
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
82 return LWResult::Result::Timeout
;
85 vector
<DNSRecord
> ret
;
86 int res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
87 BOOST_CHECK_EQUAL(res
, RCode::NXDomain
);
88 BOOST_REQUIRE_EQUAL(ret
.size(), 1U);
89 BOOST_CHECK(ret
[0].d_type
== QType::SOA
);
90 BOOST_CHECK_EQUAL(queriesCount
, 0U);
93 BOOST_AUTO_TEST_CASE(test_auth_zone_delegation
)
95 std::unique_ptr
<SyncRes
> sr
;
100 size_t queriesCount
= 0;
101 const DNSName
target("www.test.powerdns.com.");
102 const ComboAddress
targetAddr("192.0.2.2");
103 const DNSName
ns("ns1.test.powerdns.com.");
104 const ComboAddress
nsAddr("192.0.2.1");
105 const DNSName
authZone("powerdns.com");
107 SyncRes::AuthDomain ad
;
108 ad
.d_name
= authZone
;
110 dr
.d_place
= DNSResourceRecord::ANSWER
;
111 dr
.d_name
= authZone
;
112 dr
.d_type
= QType::SOA
;
114 dr
.d_content
= std::make_shared
<SOARecordContent
>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
115 ad
.d_records
.insert(dr
);
117 dr
.d_place
= DNSResourceRecord::ANSWER
;
118 dr
.d_name
= DNSName("test.powerdns.com.");
119 dr
.d_type
= QType::NS
;
121 dr
.d_content
= std::make_shared
<NSRecordContent
>(ns
);
122 ad
.d_records
.insert(dr
);
124 dr
.d_place
= DNSResourceRecord::ANSWER
;
126 dr
.d_type
= QType::A
;
128 dr
.d_content
= std::make_shared
<ARecordContent
>(nsAddr
);
129 ad
.d_records
.insert(dr
);
131 auto map
= std::make_shared
<SyncRes::domainmap_t
>();
132 (*map
)[authZone
] = ad
;
133 SyncRes::setDomainMap(map
);
136 auto luaconfsCopy
= g_luaconfs
.getCopy();
137 luaconfsCopy
.dsAnchors
.clear();
138 generateKeyMaterial(g_rootdnsname
, DNSSECKeeper::RSASHA512
, DNSSECKeeper::DIGEST_SHA384
, keys
, luaconfsCopy
.dsAnchors
);
139 g_luaconfs
.setState(luaconfsCopy
);
141 /* make sure that the signature inception and validity times are computed
142 based on the SyncRes time, not the current one, in case the function
144 const time_t fixedNow
= sr
->getNow().tv_sec
;
146 sr
->setAsyncCallback([&queriesCount
, target
, targetAddr
, nsAddr
, authZone
, keys
, fixedNow
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
148 if (type
== QType::DS
|| type
== QType::DNSKEY
) {
149 return genericDSAndDNSKEYHandler(res
, domain
, DNSName("."), type
, keys
, domain
== DNSName("com.") || domain
== authZone
, fixedNow
);
152 if (ip
== ComboAddress(nsAddr
.toString(), 53) && domain
== target
) {
153 setLWResult(res
, 0, true, false, true);
154 addRecordToLW(res
, domain
, QType::A
, targetAddr
.toString(), DNSResourceRecord::ANSWER
, 3600);
155 return LWResult::Result::Success
;
158 return LWResult::Result::Timeout
;
161 sr
->setDNSSECValidationRequested(true);
162 vector
<DNSRecord
> ret
;
163 int res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
164 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
165 BOOST_REQUIRE_EQUAL(ret
.size(), 1U);
166 BOOST_CHECK(ret
[0].d_type
== QType::A
);
167 BOOST_CHECK_EQUAL(queriesCount
, 1U);
168 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::Indeterminate
);
171 BOOST_AUTO_TEST_CASE(test_auth_zone_delegation_point
)
173 std::unique_ptr
<SyncRes
> sr
;
178 size_t queriesCount
= 0;
179 const DNSName
target("test.powerdns.com.");
180 const ComboAddress
targetAddr("192.0.2.2");
181 const DNSName
ns("ns1.test.powerdns.com.");
182 const ComboAddress
nsAddr("192.0.2.1");
183 const DNSName
authZone("powerdns.com");
185 SyncRes::AuthDomain ad
;
186 ad
.d_name
= authZone
;
188 dr
.d_place
= DNSResourceRecord::ANSWER
;
189 dr
.d_name
= authZone
;
190 dr
.d_type
= QType::SOA
;
192 dr
.d_content
= std::make_shared
<SOARecordContent
>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
193 ad
.d_records
.insert(dr
);
195 dr
.d_place
= DNSResourceRecord::ANSWER
;
196 dr
.d_name
= DNSName("test.powerdns.com.");
197 dr
.d_type
= QType::NS
;
199 dr
.d_content
= std::make_shared
<NSRecordContent
>(ns
);
200 ad
.d_records
.insert(dr
);
202 dr
.d_place
= DNSResourceRecord::ANSWER
;
204 dr
.d_type
= QType::A
;
206 dr
.d_content
= std::make_shared
<ARecordContent
>(nsAddr
);
207 ad
.d_records
.insert(dr
);
209 auto map
= std::make_shared
<SyncRes::domainmap_t
>();
210 (*map
)[authZone
] = ad
;
211 SyncRes::setDomainMap(map
);
213 sr
->setAsyncCallback([&queriesCount
, nsAddr
, target
, targetAddr
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
216 if (ip
== ComboAddress(nsAddr
.toString(), 53) && domain
== target
) {
217 setLWResult(res
, 0, true, false, true);
218 addRecordToLW(res
, domain
, QType::A
, targetAddr
.toString(), DNSResourceRecord::ANSWER
, 3600);
219 return LWResult::Result::Success
;
222 return LWResult::Result::Timeout
;
225 vector
<DNSRecord
> ret
;
226 int res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
227 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
228 BOOST_REQUIRE_EQUAL(ret
.size(), 1U);
229 BOOST_CHECK(ret
[0].d_type
== QType::A
);
230 BOOST_CHECK_EQUAL(queriesCount
, 1U);
233 BOOST_AUTO_TEST_CASE(test_auth_zone_wildcard
)
235 std::unique_ptr
<SyncRes
> sr
;
240 size_t queriesCount
= 0;
241 const DNSName
target("test.powerdns.com.");
242 const ComboAddress
targetAddr("192.0.2.2");
243 const DNSName
authZone("powerdns.com");
245 SyncRes::AuthDomain ad
;
246 ad
.d_name
= authZone
;
248 dr
.d_place
= DNSResourceRecord::ANSWER
;
249 dr
.d_name
= authZone
;
250 dr
.d_type
= QType::SOA
;
252 dr
.d_content
= std::make_shared
<SOARecordContent
>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
253 ad
.d_records
.insert(dr
);
255 dr
.d_place
= DNSResourceRecord::ANSWER
;
256 dr
.d_name
= DNSName("*.powerdns.com.");
257 dr
.d_type
= QType::A
;
259 dr
.d_content
= std::make_shared
<ARecordContent
>(targetAddr
);
260 ad
.d_records
.insert(dr
);
262 auto map
= std::make_shared
<SyncRes::domainmap_t
>();
263 (*map
)[authZone
] = ad
;
264 SyncRes::setDomainMap(map
);
266 sr
->setAsyncCallback([&queriesCount
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
269 return LWResult::Result::Timeout
;
272 vector
<DNSRecord
> ret
;
273 int res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
274 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
275 BOOST_REQUIRE_EQUAL(ret
.size(), 1U);
276 BOOST_CHECK(ret
[0].d_type
== QType::A
);
277 BOOST_CHECK_EQUAL(queriesCount
, 0U);
280 BOOST_AUTO_TEST_CASE(test_auth_zone_wildcard_with_ent
)
282 std::unique_ptr
<SyncRes
> sr
;
287 size_t queriesCount
= 0;
288 const DNSName
target("test.powerdns.com.");
289 const ComboAddress
targetAddr1("192.0.2.1");
290 const ComboAddress
targetAddr2("192.0.2.2");
291 const DNSName
authZone("powerdns.com");
293 SyncRes::AuthDomain ad
;
294 ad
.d_name
= authZone
;
296 dr
.d_place
= DNSResourceRecord::ANSWER
;
297 dr
.d_name
= authZone
;
298 dr
.d_type
= QType::SOA
;
300 dr
.d_content
= std::make_shared
<SOARecordContent
>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
301 ad
.d_records
.insert(dr
);
303 dr
.d_place
= DNSResourceRecord::ANSWER
;
304 dr
.d_name
= DNSName("abc.xyz.test.powerdns.com.");
305 dr
.d_type
= QType::A
;
307 dr
.d_content
= std::make_shared
<ARecordContent
>(targetAddr1
);
308 ad
.d_records
.insert(dr
);
310 dr
.d_place
= DNSResourceRecord::ANSWER
;
311 dr
.d_name
= DNSName("*.powerdns.com.");
312 dr
.d_type
= QType::A
;
314 dr
.d_content
= std::make_shared
<ARecordContent
>(targetAddr2
);
315 ad
.d_records
.insert(dr
);
317 auto map
= std::make_shared
<SyncRes::domainmap_t
>();
318 (*map
)[authZone
] = ad
;
319 SyncRes::setDomainMap(map
);
321 sr
->setAsyncCallback([&queriesCount
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
324 return LWResult::Result::Timeout
;
327 vector
<DNSRecord
> ret
;
328 int res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
329 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
330 BOOST_REQUIRE_EQUAL(ret
.size(), 1U);
332 // WARN below should be changed to CHECK once the issue is fixed.
333 const string
m("Please fix issue #8312");
334 BOOST_WARN_MESSAGE(ret
[0].d_type
== QType::SOA
, m
);
335 BOOST_CHECK_EQUAL(queriesCount
, 0U);
338 BOOST_AUTO_TEST_CASE(test_auth_zone_wildcard_nodata
)
340 std::unique_ptr
<SyncRes
> sr
;
345 size_t queriesCount
= 0;
346 const DNSName
target("test.powerdns.com.");
347 const ComboAddress
targetAddr("192.0.2.2");
348 const DNSName
authZone("powerdns.com");
350 SyncRes::AuthDomain ad
;
351 ad
.d_name
= authZone
;
353 dr
.d_place
= DNSResourceRecord::ANSWER
;
354 dr
.d_name
= authZone
;
355 dr
.d_type
= QType::SOA
;
357 dr
.d_content
= std::make_shared
<SOARecordContent
>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
358 ad
.d_records
.insert(dr
);
360 dr
.d_place
= DNSResourceRecord::ANSWER
;
361 dr
.d_name
= DNSName("*.powerdns.com.");
362 dr
.d_type
= QType::A
;
364 dr
.d_content
= std::make_shared
<ARecordContent
>(targetAddr
);
365 ad
.d_records
.insert(dr
);
367 auto map
= std::make_shared
<SyncRes::domainmap_t
>();
368 (*map
)[authZone
] = ad
;
369 SyncRes::setDomainMap(map
);
371 sr
->setAsyncCallback([&queriesCount
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
374 return LWResult::Result::Timeout
;
377 vector
<DNSRecord
> ret
;
378 int res
= sr
->beginResolve(target
, QType(QType::AAAA
), QClass::IN
, ret
);
379 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
380 BOOST_REQUIRE_EQUAL(ret
.size(), 1U);
381 BOOST_CHECK(ret
[0].d_type
== QType::SOA
);
382 BOOST_CHECK_EQUAL(queriesCount
, 0U);
385 BOOST_AUTO_TEST_CASE(test_auth_zone_cache_only
)
387 std::unique_ptr
<SyncRes
> sr
;
392 size_t queriesCount
= 0;
393 const DNSName
target("powerdns.com.");
394 const ComboAddress
addr("192.0.2.5");
396 SyncRes::AuthDomain ad
;
399 dr
.d_place
= DNSResourceRecord::ANSWER
;
401 dr
.d_type
= QType::SOA
;
403 dr
.d_content
= std::make_shared
<SOARecordContent
>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
404 ad
.d_records
.insert(dr
);
406 dr
.d_place
= DNSResourceRecord::ANSWER
;
408 dr
.d_type
= QType::A
;
410 dr
.d_content
= std::make_shared
<ARecordContent
>(addr
);
411 ad
.d_records
.insert(dr
);
413 auto map
= std::make_shared
<SyncRes::domainmap_t
>();
415 SyncRes::setDomainMap(map
);
417 sr
->setAsyncCallback([&queriesCount
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
419 setLWResult(res
, 0, true, false, true);
420 addRecordToLW(res
, domain
, QType::A
, "192.0.2.42");
421 return LWResult::Result::Success
;
424 /* simulate a no-RD query */
427 vector
<DNSRecord
> ret
;
428 int res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
429 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
430 BOOST_CHECK_EQUAL(ret
.size(), 1U);
431 BOOST_CHECK(ret
[0].d_type
== QType::A
);
432 BOOST_CHECK_EQUAL(getRR
<ARecordContent
>(ret
[0])->getCA().toString(), addr
.toString());
433 BOOST_CHECK_EQUAL(queriesCount
, 0U);
436 BOOST_AUTO_TEST_CASE(test_dnssec_rrsig
)
440 auto dcke
= DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256
);
441 dcke
->create(dcke
->getBits());
442 // cerr<<dcke->convertToISC()<<endl;
443 DNSSECPrivateKey dpk
;
445 dpk
.setKey(std::move(dcke
));
447 sortedRecords_t recordcontents
;
448 recordcontents
.insert(getRecordContent(QType::A
, "192.0.2.1"));
450 DNSName
qname("powerdns.com.");
452 time_t now
= time(nullptr);
453 RRSIGRecordContent rrc
;
454 /* this RRSIG is valid for the current second only */
455 computeRRSIG(dpk
, qname
, qname
, QType::A
, 600, 0, rrc
, recordcontents
, boost::none
, now
);
458 keyset
.insert(std::make_shared
<DNSKEYRecordContent
>(dpk
.getDNSKEY()));
460 std::vector
<std::shared_ptr
<RRSIGRecordContent
>> sigs
;
461 sigs
.push_back(std::make_shared
<RRSIGRecordContent
>(rrc
));
463 BOOST_CHECK(validateWithKeySet(now
, qname
, recordcontents
, sigs
, keyset
) == vState::Secure
);
466 BOOST_AUTO_TEST_CASE(test_dnssec_root_validation_csk
)
468 std::unique_ptr
<SyncRes
> sr
;
471 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
474 const DNSName
target(".");
477 auto luaconfsCopy
= g_luaconfs
.getCopy();
478 luaconfsCopy
.dsAnchors
.clear();
479 generateKeyMaterial(target
, DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
, luaconfsCopy
.dsAnchors
);
480 g_luaconfs
.setState(luaconfsCopy
);
482 size_t queriesCount
= 0;
484 sr
->setAsyncCallback([target
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
487 if (domain
== target
&& type
== QType::NS
) {
489 setLWResult(res
, 0, true, false, true);
490 char addr
[] = "a.root-servers.net.";
491 for (char idx
= 'a'; idx
<= 'm'; idx
++) {
493 addRecordToLW(res
, domain
, QType::NS
, std::string(addr
), DNSResourceRecord::ANSWER
, 3600);
496 addRRSIG(keys
, res
->d_records
, domain
, 300);
498 addRecordToLW(res
, "a.root-servers.net.", QType::A
, "198.41.0.4", DNSResourceRecord::ADDITIONAL
, 3600);
499 addRecordToLW(res
, "a.root-servers.net.", QType::AAAA
, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL
, 3600);
501 return LWResult::Result::Success
;
503 else if (domain
== target
&& type
== QType::DNSKEY
) {
505 setLWResult(res
, 0, true, false, true);
507 addDNSKEY(keys
, domain
, 300, res
->d_records
);
508 addRRSIG(keys
, res
->d_records
, domain
, 300);
510 return LWResult::Result::Success
;
513 return LWResult::Result::Timeout
;
516 vector
<DNSRecord
> ret
;
517 int res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
518 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
519 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::Secure
);
520 /* 13 NS + 1 RRSIG */
521 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
522 BOOST_CHECK_EQUAL(queriesCount
, 2U);
524 /* again, to test the cache */
526 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
527 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
528 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::Secure
);
529 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
530 BOOST_CHECK_EQUAL(queriesCount
, 2U);
533 BOOST_AUTO_TEST_CASE(test_dnssec_root_validation_ksk_zsk
)
535 std::unique_ptr
<SyncRes
> sr
;
538 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
541 const DNSName
target(".");
542 testkeysset_t zskeys
;
543 testkeysset_t kskeys
;
545 /* Generate key material for "." */
546 auto dckeZ
= DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256
);
547 dckeZ
->create(dckeZ
->getBits());
548 DNSSECPrivateKey ksk
;
550 ksk
.setKey(std::move(dckeZ
));
551 DSRecordContent kskds
= makeDSFromDNSKey(target
, ksk
.getDNSKEY(), DNSSECKeeper::DIGEST_SHA256
);
553 auto dckeK
= DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256
);
554 dckeK
->create(dckeK
->getBits());
555 DNSSECPrivateKey zsk
;
557 zsk
.setKey(std::move(dckeK
));
558 DSRecordContent zskds
= makeDSFromDNSKey(target
, zsk
.getDNSKEY(), DNSSECKeeper::DIGEST_SHA256
);
560 kskeys
[target
] = std::pair
<DNSSECPrivateKey
, DSRecordContent
>(ksk
, kskds
);
561 zskeys
[target
] = std::pair
<DNSSECPrivateKey
, DSRecordContent
>(zsk
, zskds
);
563 /* Set the root DS */
564 auto luaconfsCopy
= g_luaconfs
.getCopy();
565 luaconfsCopy
.dsAnchors
.clear();
566 luaconfsCopy
.dsAnchors
[g_rootdnsname
].insert(kskds
);
567 g_luaconfs
.setState(luaconfsCopy
);
569 size_t queriesCount
= 0;
571 sr
->setAsyncCallback([target
, &queriesCount
, zskeys
, kskeys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
574 if (domain
== target
&& type
== QType::NS
) {
576 setLWResult(res
, 0, true, false, true);
577 char addr
[] = "a.root-servers.net.";
578 for (char idx
= 'a'; idx
<= 'm'; idx
++) {
580 addRecordToLW(res
, domain
, QType::NS
, std::string(addr
), DNSResourceRecord::ANSWER
, 3600);
583 addRRSIG(zskeys
, res
->d_records
, domain
, 300);
585 addRecordToLW(res
, "a.root-servers.net.", QType::A
, "198.41.0.4", DNSResourceRecord::ADDITIONAL
, 3600);
586 addRecordToLW(res
, "a.root-servers.net.", QType::AAAA
, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL
, 3600);
588 return LWResult::Result::Success
;
590 else if (domain
== target
&& type
== QType::DNSKEY
) {
592 setLWResult(res
, 0, true, false, true);
594 addDNSKEY(kskeys
, domain
, 300, res
->d_records
);
595 addDNSKEY(zskeys
, domain
, 300, res
->d_records
);
596 addRRSIG(kskeys
, res
->d_records
, domain
, 300);
598 return LWResult::Result::Success
;
601 return LWResult::Result::Timeout
;
604 vector
<DNSRecord
> ret
;
605 int res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
606 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
607 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::Secure
);
608 /* 13 NS + 1 RRSIG */
609 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
610 BOOST_CHECK_EQUAL(queriesCount
, 2U);
612 /* again, to test the cache */
614 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
615 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
616 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::Secure
);
617 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
618 BOOST_CHECK_EQUAL(queriesCount
, 2U);
621 BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_dnskey
)
623 std::unique_ptr
<SyncRes
> sr
;
626 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
629 const DNSName
target(".");
632 auto luaconfsCopy
= g_luaconfs
.getCopy();
633 luaconfsCopy
.dsAnchors
.clear();
634 generateKeyMaterial(target
, DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
, luaconfsCopy
.dsAnchors
);
635 g_luaconfs
.setState(luaconfsCopy
);
637 size_t queriesCount
= 0;
639 sr
->setAsyncCallback([target
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
642 if (domain
== target
&& type
== QType::NS
) {
644 setLWResult(res
, 0, true, false, true);
645 char addr
[] = "a.root-servers.net.";
646 for (char idx
= 'a'; idx
<= 'm'; idx
++) {
648 addRecordToLW(res
, domain
, QType::NS
, std::string(addr
), DNSResourceRecord::ANSWER
, 3600);
651 addRRSIG(keys
, res
->d_records
, domain
, 300);
653 addRecordToLW(res
, "a.root-servers.net.", QType::A
, "198.41.0.4", DNSResourceRecord::ADDITIONAL
, 3600);
654 addRecordToLW(res
, "a.root-servers.net.", QType::AAAA
, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL
, 3600);
656 return LWResult::Result::Success
;
658 else if (domain
== target
&& type
== QType::DNSKEY
) {
660 setLWResult(res
, 0, true, false, true);
664 return LWResult::Result::Success
;
667 return LWResult::Result::Timeout
;
670 vector
<DNSRecord
> ret
;
671 int res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
672 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
673 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusMissingNegativeIndication
);
674 /* 13 NS + 1 RRSIG */
675 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
676 BOOST_CHECK_EQUAL(queriesCount
, 2U);
678 /* again, to test the cache */
680 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
681 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
682 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusMissingNegativeIndication
);
683 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
684 BOOST_CHECK_EQUAL(queriesCount
, 2U);
687 BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_without_zone_flag
)
689 std::unique_ptr
<SyncRes
> sr
;
692 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
695 const DNSName
target(".");
698 /* Generate key material for "." */
699 auto dcke
= DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256
);
700 dcke
->create(dcke
->getBits());
701 DNSSECPrivateKey csk
;
703 csk
.setKey(std::move(dcke
));
704 DSRecordContent ds
= makeDSFromDNSKey(target
, csk
.getDNSKEY(), DNSSECKeeper::DIGEST_SHA256
);
706 keys
[target
] = std::pair
<DNSSECPrivateKey
, DSRecordContent
>(csk
, ds
);
708 /* Set the root DS */
709 auto luaconfsCopy
= g_luaconfs
.getCopy();
710 luaconfsCopy
.dsAnchors
.clear();
711 luaconfsCopy
.dsAnchors
[g_rootdnsname
].insert(ds
);
712 g_luaconfs
.setState(luaconfsCopy
);
714 size_t queriesCount
= 0;
716 sr
->setAsyncCallback([target
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
719 if (domain
== target
&& type
== QType::NS
) {
721 setLWResult(res
, 0, true, false, true);
722 char addr
[] = "a.root-servers.net.";
723 for (char idx
= 'a'; idx
<= 'm'; idx
++) {
725 addRecordToLW(res
, domain
, QType::NS
, std::string(addr
), DNSResourceRecord::ANSWER
, 3600);
728 addRRSIG(keys
, res
->d_records
, domain
, 300);
729 addRecordToLW(res
, "a.root-servers.net.", QType::A
, "198.41.0.4", DNSResourceRecord::ADDITIONAL
, 3600);
730 addRecordToLW(res
, "a.root-servers.net.", QType::AAAA
, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL
, 3600);
732 return LWResult::Result::Success
;
734 else if (domain
== target
&& type
== QType::DNSKEY
) {
736 setLWResult(res
, 0, true, false, true);
738 addDNSKEY(keys
, domain
, 300, res
->d_records
);
739 addRRSIG(keys
, res
->d_records
, domain
, 300);
741 return LWResult::Result::Success
;
744 return LWResult::Result::Timeout
;
747 vector
<DNSRecord
> ret
;
748 int res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
749 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
750 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoZoneKeyBitSet
);
751 /* 13 NS + 1 RRSIG */
752 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
753 BOOST_CHECK_EQUAL(queriesCount
, 2U);
755 /* again, to test the cache */
757 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
758 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
759 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoZoneKeyBitSet
);
760 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
761 BOOST_CHECK_EQUAL(queriesCount
, 2U);
764 BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_revoked
)
766 std::unique_ptr
<SyncRes
> sr
;
769 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
772 const DNSName
target(".");
775 /* Generate key material for "." */
776 auto dcke
= DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256
);
777 dcke
->create(dcke
->getBits());
778 DNSSECPrivateKey csk
;
779 csk
.d_flags
= 257 | 128;
780 csk
.setKey(std::move(dcke
));
781 DSRecordContent ds
= makeDSFromDNSKey(target
, csk
.getDNSKEY(), DNSSECKeeper::DIGEST_SHA256
);
783 keys
[target
] = std::pair
<DNSSECPrivateKey
, DSRecordContent
>(csk
, ds
);
785 /* Set the root DS */
786 auto luaconfsCopy
= g_luaconfs
.getCopy();
787 luaconfsCopy
.dsAnchors
.clear();
788 luaconfsCopy
.dsAnchors
[g_rootdnsname
].insert(ds
);
789 g_luaconfs
.setState(luaconfsCopy
);
791 size_t queriesCount
= 0;
793 sr
->setAsyncCallback([target
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
796 if (domain
== target
&& type
== QType::NS
) {
798 setLWResult(res
, 0, true, false, true);
799 char addr
[] = "a.root-servers.net.";
800 for (char idx
= 'a'; idx
<= 'm'; idx
++) {
802 addRecordToLW(res
, domain
, QType::NS
, std::string(addr
), DNSResourceRecord::ANSWER
, 3600);
805 addRRSIG(keys
, res
->d_records
, domain
, 300);
806 addRecordToLW(res
, "a.root-servers.net.", QType::A
, "198.41.0.4", DNSResourceRecord::ADDITIONAL
, 3600);
807 addRecordToLW(res
, "a.root-servers.net.", QType::AAAA
, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL
, 3600);
809 return LWResult::Result::Success
;
811 else if (domain
== target
&& type
== QType::DNSKEY
) {
813 setLWResult(res
, 0, true, false, true);
815 addDNSKEY(keys
, domain
, 300, res
->d_records
);
816 addRRSIG(keys
, res
->d_records
, domain
, 300);
818 return LWResult::Result::Success
;
821 return LWResult::Result::Timeout
;
824 vector
<DNSRecord
> ret
;
825 int res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
826 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
827 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusRevokedDNSKEY
);
828 /* 13 NS + 1 RRSIG */
829 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
830 BOOST_CHECK_EQUAL(queriesCount
, 2U);
832 /* again, to test the cache */
834 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
835 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
836 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusRevokedDNSKEY
);
837 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
838 BOOST_CHECK_EQUAL(queriesCount
, 2U);
840 BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_doesnt_match_ds
)
842 std::unique_ptr
<SyncRes
> sr
;
845 setDNSSECValidation(sr
, DNSSECMode::Process
);
848 const DNSName
target(".");
849 testkeysset_t dskeys
;
852 /* Generate key material for "." */
853 auto dckeDS
= DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256
);
854 dckeDS
->create(dckeDS
->getBits());
855 DNSSECPrivateKey dskey
;
857 dskey
.setKey(std::move(dckeDS
));
858 DSRecordContent drc
= makeDSFromDNSKey(target
, dskey
.getDNSKEY(), DNSSECKeeper::DIGEST_SHA256
);
860 auto dcke
= DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256
);
861 dcke
->create(dcke
->getBits());
862 DNSSECPrivateKey dpk
;
864 dpk
.setKey(std::move(dcke
));
865 DSRecordContent uselessdrc
= makeDSFromDNSKey(target
, dpk
.getDNSKEY(), DNSSECKeeper::DIGEST_SHA256
);
867 dskeys
[target
] = std::pair
<DNSSECPrivateKey
, DSRecordContent
>(dskey
, drc
);
868 keys
[target
] = std::pair
<DNSSECPrivateKey
, DSRecordContent
>(dpk
, uselessdrc
);
870 /* Set the root DS */
871 auto luaconfsCopy
= g_luaconfs
.getCopy();
872 luaconfsCopy
.dsAnchors
.clear();
873 luaconfsCopy
.dsAnchors
[g_rootdnsname
].insert(drc
);
874 g_luaconfs
.setState(luaconfsCopy
);
876 size_t queriesCount
= 0;
878 sr
->setAsyncCallback([target
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
881 if (domain
== target
&& type
== QType::NS
) {
883 setLWResult(res
, 0, true, false, true);
884 char addr
[] = "a.root-servers.net.";
885 for (char idx
= 'a'; idx
<= 'm'; idx
++) {
887 addRecordToLW(res
, domain
, QType::NS
, std::string(addr
), DNSResourceRecord::ANSWER
, 3600);
890 addRRSIG(keys
, res
->d_records
, domain
, 300);
892 addRecordToLW(res
, "a.root-servers.net.", QType::A
, "198.41.0.4", DNSResourceRecord::ADDITIONAL
, 3600);
893 addRecordToLW(res
, "a.root-servers.net.", QType::AAAA
, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL
, 3600);
895 return LWResult::Result::Success
;
897 else if (domain
== target
&& type
== QType::DNSKEY
) {
899 setLWResult(res
, 0, true, false, true);
901 addDNSKEY(keys
, domain
, 300, res
->d_records
);
902 addRRSIG(keys
, res
->d_records
, domain
, 300);
904 return LWResult::Result::Success
;
907 return LWResult::Result::Timeout
;
910 /* === with validation enabled === */
911 sr
->setDNSSECValidationRequested(true);
912 vector
<DNSRecord
> ret
;
913 int res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
914 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
915 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoValidDNSKEY
);
916 /* 13 NS + 1 RRSIG */
917 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
918 BOOST_CHECK_EQUAL(queriesCount
, 2U);
920 /* again, to test the cache */
922 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
923 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
924 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoValidDNSKEY
);
925 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
926 BOOST_CHECK_EQUAL(queriesCount
, 2U);
928 /* === first without validation, then with (just-in-time validation) === */
929 /* clear the caches */
930 g_recCache
= std::make_unique
<MemRecursorCache
>();
931 g_negCache
= std::make_unique
<NegCache
>();
932 sr
->setDNSSECValidationRequested(false);
936 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
937 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
938 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::Indeterminate
);
939 /* 13 NS + 1 RRSIG */
940 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
941 BOOST_CHECK_EQUAL(queriesCount
, 3U);
943 /* now we ask for the DNSKEYs (still without validation) */
945 res
= sr
->beginResolve(target
, QType(QType::DNSKEY
), QClass::IN
, ret
);
946 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
947 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::Indeterminate
);
948 /* 1 SOA + 1 RRSIG */
949 BOOST_REQUIRE_EQUAL(ret
.size(), 2U);
950 BOOST_CHECK_EQUAL(queriesCount
, 4U);
952 /* again, to test the cache WITH validation */
953 sr
->setDNSSECValidationRequested(true);
955 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
956 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
957 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoValidDNSKEY
);
958 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
959 BOOST_CHECK_EQUAL(queriesCount
, 4U);
962 BOOST_AUTO_TEST_CASE(test_dnssec_bogus_rrsig_signed_with_unknown_dnskey
)
964 std::unique_ptr
<SyncRes
> sr
;
967 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
970 const DNSName
target(".");
972 testkeysset_t rrsigkeys
;
974 auto luaconfsCopy
= g_luaconfs
.getCopy();
975 luaconfsCopy
.dsAnchors
.clear();
976 generateKeyMaterial(target
, DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
, luaconfsCopy
.dsAnchors
);
977 g_luaconfs
.setState(luaconfsCopy
);
979 auto dckeRRSIG
= DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256
);
980 dckeRRSIG
->create(dckeRRSIG
->getBits());
981 DNSSECPrivateKey rrsigkey
;
982 rrsigkey
.d_flags
= 257;
983 rrsigkey
.setKey(std::move(dckeRRSIG
));
984 DSRecordContent rrsigds
= makeDSFromDNSKey(target
, rrsigkey
.getDNSKEY(), DNSSECKeeper::DIGEST_SHA256
);
986 rrsigkeys
[target
] = std::pair
<DNSSECPrivateKey
, DSRecordContent
>(rrsigkey
, rrsigds
);
988 size_t queriesCount
= 0;
990 sr
->setAsyncCallback([target
, &queriesCount
, keys
, rrsigkeys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
993 if (domain
== target
&& type
== QType::NS
) {
995 setLWResult(res
, 0, true, false, true);
996 char addr
[] = "a.root-servers.net.";
997 for (char idx
= 'a'; idx
<= 'm'; idx
++) {
999 addRecordToLW(res
, domain
, QType::NS
, std::string(addr
), DNSResourceRecord::ANSWER
, 3600);
1002 addRRSIG(rrsigkeys
, res
->d_records
, domain
, 300);
1004 addRecordToLW(res
, "a.root-servers.net.", QType::A
, "198.41.0.4", DNSResourceRecord::ADDITIONAL
, 3600);
1005 addRecordToLW(res
, "a.root-servers.net.", QType::AAAA
, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL
, 3600);
1007 return LWResult::Result::Success
;
1009 else if (domain
== target
&& type
== QType::DNSKEY
) {
1011 setLWResult(res
, 0, true, false, true);
1013 addDNSKEY(keys
, domain
, 300, res
->d_records
);
1014 addRRSIG(rrsigkeys
, res
->d_records
, domain
, 300);
1016 return LWResult::Result::Success
;
1019 return LWResult::Result::Timeout
;
1022 vector
<DNSRecord
> ret
;
1023 int res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
1024 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1025 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoValidRRSIG
);
1026 /* 13 NS + 1 RRSIG */
1027 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
1028 BOOST_CHECK_EQUAL(queriesCount
, 2U);
1030 /* again, to test the cache */
1032 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
1033 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1034 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoValidRRSIG
);
1035 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
1036 BOOST_CHECK_EQUAL(queriesCount
, 2U);
1039 BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_rrsig
)
1041 std::unique_ptr
<SyncRes
> sr
;
1044 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
1047 const DNSName
target(".");
1050 auto luaconfsCopy
= g_luaconfs
.getCopy();
1051 luaconfsCopy
.dsAnchors
.clear();
1052 generateKeyMaterial(target
, DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
, luaconfsCopy
.dsAnchors
);
1053 g_luaconfs
.setState(luaconfsCopy
);
1055 size_t queriesCount
= 0;
1057 sr
->setAsyncCallback([target
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
1060 if (domain
== target
&& type
== QType::NS
) {
1062 setLWResult(res
, 0, true, false, true);
1063 char addr
[] = "a.root-servers.net.";
1064 for (char idx
= 'a'; idx
<= 'm'; idx
++) {
1066 addRecordToLW(res
, domain
, QType::NS
, std::string(addr
), DNSResourceRecord::ANSWER
, 86400);
1071 addRecordToLW(res
, "a.root-servers.net.", QType::A
, "198.41.0.4", DNSResourceRecord::ADDITIONAL
, 3600);
1072 addRecordToLW(res
, "a.root-servers.net.", QType::AAAA
, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL
, 3600);
1074 return LWResult::Result::Success
;
1076 else if (domain
== target
&& type
== QType::DNSKEY
) {
1078 setLWResult(res
, 0, true, false, true);
1080 addDNSKEY(keys
, domain
, 300, res
->d_records
);
1081 addRRSIG(keys
, res
->d_records
, domain
, 300);
1083 return LWResult::Result::Success
;
1086 return LWResult::Result::Timeout
;
1089 SyncRes::s_maxcachettl
= 86400;
1090 SyncRes::s_maxbogusttl
= 3600;
1092 vector
<DNSRecord
> ret
;
1093 int res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
1094 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1095 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoRRSIG
);
1096 /* 13 NS + 0 RRSIG */
1097 BOOST_REQUIRE_EQUAL(ret
.size(), 13U);
1098 /* no RRSIG so no query for DNSKEYs */
1099 BOOST_CHECK_EQUAL(queriesCount
, 1U);
1101 /* again, to test the cache */
1103 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
1104 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1105 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoRRSIG
);
1106 BOOST_REQUIRE_EQUAL(ret
.size(), 13U);
1107 /* check that we capped the TTL to max-cache-bogus-ttl */
1108 for (const auto& record
: ret
) {
1109 BOOST_CHECK_LE(record
.d_ttl
, SyncRes::s_maxbogusttl
);
1111 BOOST_CHECK_EQUAL(queriesCount
, 1U);
1114 BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_rrsig_noaa
)
1116 std::unique_ptr
<SyncRes
> sr
;
1119 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
1122 const DNSName
target(".");
1125 auto luaconfsCopy
= g_luaconfs
.getCopy();
1126 luaconfsCopy
.dsAnchors
.clear();
1127 generateKeyMaterial(target
, DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
, luaconfsCopy
.dsAnchors
);
1128 g_luaconfs
.setState(luaconfsCopy
);
1130 size_t queriesCount
= 0;
1132 sr
->setAsyncCallback([target
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
1135 if (domain
== target
&& type
== QType::NS
) {
1137 /* We are not setting AA! */
1138 setLWResult(res
, 0, false, false, true);
1139 char addr
[] = "a.root-servers.net.";
1140 for (char idx
= 'a'; idx
<= 'm'; idx
++) {
1142 addRecordToLW(res
, domain
, QType::NS
, std::string(addr
), DNSResourceRecord::ANSWER
, 86400);
1147 addRecordToLW(res
, "a.root-servers.net.", QType::A
, "198.41.0.4", DNSResourceRecord::ADDITIONAL
, 3600);
1148 addRecordToLW(res
, "a.root-servers.net.", QType::AAAA
, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL
, 3600);
1150 return LWResult::Result::Success
;
1152 else if (domain
== target
&& type
== QType::DNSKEY
) {
1154 setLWResult(res
, 0, true, false, true);
1156 addDNSKEY(keys
, domain
, 300, res
->d_records
);
1157 addRRSIG(keys
, res
->d_records
, domain
, 300);
1159 return LWResult::Result::Success
;
1162 return LWResult::Result::Timeout
;
1165 SyncRes::s_maxcachettl
= 86400;
1166 SyncRes::s_maxbogusttl
= 3600;
1168 vector
<DNSRecord
> ret
;
1169 int res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
1170 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1171 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoRRSIG
);
1172 /* 13 NS + 0 RRSIG */
1173 BOOST_REQUIRE_EQUAL(ret
.size(), 13U);
1174 /* no RRSIG so no query for DNSKEYs */
1175 BOOST_CHECK_EQUAL(queriesCount
, 1U);
1177 /* again, to test the cache */
1179 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
1180 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1181 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoRRSIG
);
1182 BOOST_REQUIRE_EQUAL(ret
.size(), 13U);
1183 /* check that we capped the TTL to max-cache-bogus-ttl */
1184 for (const auto& record
: ret
) {
1185 BOOST_CHECK_LE(record
.d_ttl
, SyncRes::s_maxbogusttl
);
1187 BOOST_CHECK_EQUAL(queriesCount
, 1U);
1190 BOOST_AUTO_TEST_CASE(test_dnssec_insecure_unknown_ds_algorithm
)
1192 std::unique_ptr
<SyncRes
> sr
;
1195 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
1198 const DNSName
target(".");
1201 /* Generate key material for "." */
1202 auto dcke
= DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256
);
1203 dcke
->create(dcke
->getBits());
1204 DNSSECPrivateKey dpk
;
1206 dpk
.setKey(std::move(dcke
));
1207 /* Fake algorithm number (private) */
1208 dpk
.d_algorithm
= 253;
1210 DSRecordContent drc
= makeDSFromDNSKey(target
, dpk
.getDNSKEY(), DNSSECKeeper::DIGEST_SHA256
);
1211 keys
[target
] = std::pair
<DNSSECPrivateKey
, DSRecordContent
>(dpk
, drc
);
1212 /* Fake algorithm number (private) */
1213 drc
.d_algorithm
= 253;
1215 /* Set the root DS */
1216 auto luaconfsCopy
= g_luaconfs
.getCopy();
1217 luaconfsCopy
.dsAnchors
.clear();
1218 luaconfsCopy
.dsAnchors
[g_rootdnsname
].insert(drc
);
1219 g_luaconfs
.setState(luaconfsCopy
);
1221 size_t queriesCount
= 0;
1223 sr
->setAsyncCallback([target
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
1226 if (domain
== target
&& type
== QType::NS
) {
1228 setLWResult(res
, 0, true, false, true);
1229 char addr
[] = "a.root-servers.net.";
1230 for (char idx
= 'a'; idx
<= 'm'; idx
++) {
1232 addRecordToLW(res
, domain
, QType::NS
, std::string(addr
), DNSResourceRecord::ANSWER
, 3600);
1235 addRRSIG(keys
, res
->d_records
, domain
, 300);
1237 addRecordToLW(res
, "a.root-servers.net.", QType::A
, "198.41.0.4", DNSResourceRecord::ADDITIONAL
, 3600);
1238 addRecordToLW(res
, "a.root-servers.net.", QType::AAAA
, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL
, 3600);
1240 return LWResult::Result::Success
;
1242 else if (domain
== target
&& type
== QType::DNSKEY
) {
1244 setLWResult(res
, 0, true, false, true);
1246 addDNSKEY(keys
, domain
, 300, res
->d_records
);
1247 addRRSIG(keys
, res
->d_records
, domain
, 300);
1249 return LWResult::Result::Success
;
1252 return LWResult::Result::Timeout
;
1255 vector
<DNSRecord
> ret
;
1256 int res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
1257 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1258 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::Insecure
);
1259 /* 13 NS + 1 RRSIG */
1260 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
1261 /* no supported DS so no query for DNSKEYs */
1262 BOOST_CHECK_EQUAL(queriesCount
, 1U);
1264 /* again, to test the cache */
1266 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
1267 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1268 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::Insecure
);
1269 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
1270 BOOST_CHECK_EQUAL(queriesCount
, 1U);
1273 BOOST_AUTO_TEST_CASE(test_dnssec_insecure_unknown_ds_digest
)
1275 std::unique_ptr
<SyncRes
> sr
;
1278 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
1281 const DNSName
target(".");
1284 /* Generate key material for "." */
1285 auto dcke
= DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256
);
1286 dcke
->create(dcke
->getBits());
1287 DNSSECPrivateKey dpk
;
1289 dpk
.setKey(std::move(dcke
));
1290 DSRecordContent drc
= makeDSFromDNSKey(target
, dpk
.getDNSKEY(), DNSSECKeeper::DIGEST_SHA256
);
1291 /* Fake digest number (reserved) */
1292 drc
.d_digesttype
= 0;
1294 keys
[target
] = std::pair
<DNSSECPrivateKey
, DSRecordContent
>(dpk
, drc
);
1296 /* Set the root DS */
1297 auto luaconfsCopy
= g_luaconfs
.getCopy();
1298 luaconfsCopy
.dsAnchors
.clear();
1299 luaconfsCopy
.dsAnchors
[g_rootdnsname
].insert(drc
);
1300 g_luaconfs
.setState(luaconfsCopy
);
1302 size_t queriesCount
= 0;
1304 sr
->setAsyncCallback([target
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
1307 if (domain
== target
&& type
== QType::NS
) {
1309 setLWResult(res
, 0, true, false, true);
1310 char addr
[] = "a.root-servers.net.";
1311 for (char idx
= 'a'; idx
<= 'm'; idx
++) {
1313 addRecordToLW(res
, domain
, QType::NS
, std::string(addr
), DNSResourceRecord::ANSWER
, 3600);
1316 addRRSIG(keys
, res
->d_records
, domain
, 300);
1318 addRecordToLW(res
, "a.root-servers.net.", QType::A
, "198.41.0.4", DNSResourceRecord::ADDITIONAL
, 3600);
1319 addRecordToLW(res
, "a.root-servers.net.", QType::AAAA
, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL
, 3600);
1321 return LWResult::Result::Success
;
1323 else if (domain
== target
&& type
== QType::DNSKEY
) {
1325 setLWResult(res
, 0, true, false, true);
1327 addDNSKEY(keys
, domain
, 300, res
->d_records
);
1328 addRRSIG(keys
, res
->d_records
, domain
, 300);
1330 return LWResult::Result::Success
;
1333 return LWResult::Result::Timeout
;
1336 vector
<DNSRecord
> ret
;
1337 int res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
1338 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1339 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::Insecure
);
1340 /* 13 NS + 1 RRSIG */
1341 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
1342 /* no supported DS so no query for DNSKEYs */
1343 BOOST_CHECK_EQUAL(queriesCount
, 1U);
1345 /* again, to test the cache */
1347 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
1348 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1349 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::Insecure
);
1350 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
1351 BOOST_CHECK_EQUAL(queriesCount
, 1U);
1354 BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_sig
)
1356 std::unique_ptr
<SyncRes
> sr
;
1359 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
1362 const DNSName
target(".");
1365 auto luaconfsCopy
= g_luaconfs
.getCopy();
1366 luaconfsCopy
.dsAnchors
.clear();
1367 generateKeyMaterial(g_rootdnsname
, DNSSECKeeper::RSASHA512
, DNSSECKeeper::DIGEST_SHA384
, keys
, luaconfsCopy
.dsAnchors
);
1369 g_luaconfs
.setState(luaconfsCopy
);
1370 /* make sure that the signature inception and validity times are computed
1371 based on the SyncRes time, not the current one, in case the function
1373 const time_t fixedNow
= sr
->getNow().tv_sec
;
1375 size_t queriesCount
= 0;
1377 sr
->setAsyncCallback([target
, &queriesCount
, keys
, fixedNow
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
1380 if (domain
== target
&& type
== QType::NS
) {
1382 setLWResult(res
, 0, true, false, true);
1383 char addr
[] = "a.root-servers.net.";
1384 for (char idx
= 'a'; idx
<= 'm'; idx
++) {
1386 addRecordToLW(res
, domain
, QType::NS
, std::string(addr
), DNSResourceRecord::ANSWER
, 3600);
1389 addRRSIG(keys
, res
->d_records
, domain
, 300, true, boost::none
, boost::none
, fixedNow
);
1391 addRecordToLW(res
, "a.root-servers.net.", QType::A
, "198.41.0.4", DNSResourceRecord::ADDITIONAL
, 3600);
1392 addRecordToLW(res
, "a.root-servers.net.", QType::AAAA
, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL
, 3600);
1394 return LWResult::Result::Success
;
1396 else if (domain
== target
&& type
== QType::DNSKEY
) {
1398 setLWResult(res
, 0, true, false, true);
1400 addDNSKEY(keys
, domain
, 300, res
->d_records
);
1401 addRRSIG(keys
, res
->d_records
, domain
, 300, false, boost::none
, boost::none
, fixedNow
);
1403 return LWResult::Result::Success
;
1406 return LWResult::Result::Timeout
;
1409 vector
<DNSRecord
> ret
;
1410 int res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
1411 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1412 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoValidRRSIG
);
1413 /* 13 NS + 1 RRSIG */
1414 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
1415 BOOST_CHECK_EQUAL(queriesCount
, 2U);
1417 /* again, to test the cache */
1419 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
1420 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1421 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoValidRRSIG
);
1422 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
1423 BOOST_CHECK_EQUAL(queriesCount
, 2U);
1426 BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_algo
)
1428 std::unique_ptr
<SyncRes
> sr
;
1431 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
1434 const DNSName
target(".");
1437 auto luaconfsCopy
= g_luaconfs
.getCopy();
1438 luaconfsCopy
.dsAnchors
.clear();
1439 generateKeyMaterial(g_rootdnsname
, DNSSECKeeper::RSASHA512
, DNSSECKeeper::DIGEST_SHA384
, keys
, luaconfsCopy
.dsAnchors
);
1441 g_luaconfs
.setState(luaconfsCopy
);
1443 size_t queriesCount
= 0;
1445 sr
->setAsyncCallback([target
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
1448 if (domain
== target
&& type
== QType::NS
) {
1450 setLWResult(res
, 0, true, false, true);
1451 char addr
[] = "a.root-servers.net.";
1452 for (char idx
= 'a'; idx
<= 'm'; idx
++) {
1454 addRecordToLW(res
, domain
, QType::NS
, std::string(addr
), DNSResourceRecord::ANSWER
, 3600);
1457 /* FORCE WRONG ALGO */
1458 addRRSIG(keys
, res
->d_records
, domain
, 300, false, DNSSECKeeper::RSASHA256
);
1460 addRecordToLW(res
, "a.root-servers.net.", QType::A
, "198.41.0.4", DNSResourceRecord::ADDITIONAL
, 3600);
1461 addRecordToLW(res
, "a.root-servers.net.", QType::AAAA
, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL
, 3600);
1463 return LWResult::Result::Success
;
1465 else if (domain
== target
&& type
== QType::DNSKEY
) {
1467 setLWResult(res
, 0, true, false, true);
1469 addDNSKEY(keys
, domain
, 300, res
->d_records
);
1470 addRRSIG(keys
, res
->d_records
, domain
, 300);
1472 return LWResult::Result::Success
;
1475 return LWResult::Result::Timeout
;
1478 vector
<DNSRecord
> ret
;
1479 int res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
1480 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1481 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoValidRRSIG
);
1482 /* 13 NS + 1 RRSIG */
1483 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
1484 BOOST_CHECK_EQUAL(queriesCount
, 2U);
1486 /* again, to test the cache */
1488 res
= sr
->beginResolve(target
, QType(QType::NS
), QClass::IN
, ret
);
1489 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1490 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoValidRRSIG
);
1491 BOOST_REQUIRE_EQUAL(ret
.size(), 14U);
1492 BOOST_CHECK_EQUAL(queriesCount
, 2U);
1495 BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds
)
1497 std::unique_ptr
<SyncRes
> sr
;
1500 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
1503 const DNSName
target("com.");
1504 const ComboAddress
targetAddr("192.0.2.42");
1507 auto luaconfsCopy
= g_luaconfs
.getCopy();
1508 luaconfsCopy
.dsAnchors
.clear();
1509 generateKeyMaterial(g_rootdnsname
, DNSSECKeeper::RSASHA512
, DNSSECKeeper::DIGEST_SHA384
, keys
, luaconfsCopy
.dsAnchors
);
1510 generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
1512 g_luaconfs
.setState(luaconfsCopy
);
1514 size_t queriesCount
= 0;
1516 sr
->setAsyncCallback([target
, targetAddr
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
1519 DNSName auth
= domain
;
1521 if (type
== QType::DS
|| type
== QType::DNSKEY
) {
1522 if (genericDSAndDNSKEYHandler(res
, domain
, auth
, type
, keys
) == LWResult::Result::Timeout
) {
1523 return LWResult::Result::Timeout
;
1526 if (type
== QType::DS
&& domain
== target
) {
1527 /* remove the last record, which is the DS's RRSIG */
1528 res
->d_records
.pop_back();
1531 return LWResult::Result::Success
;
1534 if (isRootServer(ip
)) {
1535 setLWResult(res
, 0, false, false, true);
1536 addRecordToLW(res
, "com.", QType::NS
, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY
, 3600);
1537 /* Include the DS but omit the RRSIG*/
1538 addDS(DNSName("com."), 300, res
->d_records
, keys
);
1539 addRecordToLW(res
, "a.gtld-servers.com.", QType::A
, "192.0.2.1", DNSResourceRecord::ADDITIONAL
, 3600);
1540 return LWResult::Result::Success
;
1543 if (ip
== ComboAddress("192.0.2.1:53")) {
1544 setLWResult(res
, RCode::NoError
, true, false, true);
1545 addRecordToLW(res
, domain
, QType::A
, targetAddr
.toString(), DNSResourceRecord::ANSWER
, 3600);
1546 addRRSIG(keys
, res
->d_records
, auth
, 300);
1547 return LWResult::Result::Success
;
1550 return LWResult::Result::Timeout
;
1553 vector
<DNSRecord
> ret
;
1554 int res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
1555 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1556 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoRRSIG
);
1557 BOOST_REQUIRE_EQUAL(ret
.size(), 2U);
1558 BOOST_CHECK_EQUAL(queriesCount
, 3U);
1560 /* again, to test the cache */
1562 res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
1563 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1564 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoRRSIG
);
1565 BOOST_REQUIRE_EQUAL(ret
.size(), 2U);
1566 BOOST_CHECK_EQUAL(queriesCount
, 3U);
1568 /* now we ask directly for the DS */
1570 res
= sr
->beginResolve(DNSName("com."), QType(QType::DS
), QClass::IN
, ret
);
1571 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1572 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoRRSIG
);
1573 BOOST_REQUIRE_EQUAL(ret
.size(), 1U);
1574 BOOST_CHECK_EQUAL(queriesCount
, 3U);
1577 BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds_direct
)
1579 std::unique_ptr
<SyncRes
> sr
;
1582 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
1585 const DNSName
target("com.");
1588 auto luaconfsCopy
= g_luaconfs
.getCopy();
1589 luaconfsCopy
.dsAnchors
.clear();
1590 generateKeyMaterial(g_rootdnsname
, DNSSECKeeper::RSASHA512
, DNSSECKeeper::DIGEST_SHA384
, keys
, luaconfsCopy
.dsAnchors
);
1591 generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
1593 g_luaconfs
.setState(luaconfsCopy
);
1595 size_t queriesCount
= 0;
1597 sr
->setAsyncCallback([target
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
1600 DNSName auth
= domain
;
1602 if (type
== QType::DS
|| type
== QType::DNSKEY
) {
1603 if (genericDSAndDNSKEYHandler(res
, domain
, auth
, type
, keys
) == LWResult::Result::Timeout
) {
1604 return LWResult::Result::Timeout
;
1607 if (type
== QType::DS
&& domain
== target
) {
1608 /* remove the last record, which is the DS's RRSIG */
1609 res
->d_records
.pop_back();
1612 return LWResult::Result::Success
;
1615 if (isRootServer(ip
)) {
1616 setLWResult(res
, 0, false, false, true);
1617 addRecordToLW(res
, "com.", QType::NS
, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY
, 3600);
1618 /* Include the DS but omit the RRSIG*/
1619 addDS(DNSName("com."), 300, res
->d_records
, keys
);
1620 addRecordToLW(res
, "a.gtld-servers.com.", QType::A
, "192.0.2.1", DNSResourceRecord::ADDITIONAL
, 3600);
1621 return LWResult::Result::Success
;
1624 return LWResult::Result::Timeout
;
1627 vector
<DNSRecord
> ret
;
1628 int res
= sr
->beginResolve(DNSName("com."), QType(QType::DS
), QClass::IN
, ret
);
1629 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1630 BOOST_CHECK_EQUAL(sr
->getValidationState(), vState::BogusNoRRSIG
);
1631 BOOST_REQUIRE_EQUAL(ret
.size(), 1U);
1632 BOOST_CHECK_EQUAL(queriesCount
, 1U);
1635 BOOST_AUTO_TEST_SUITE_END()