]> git.ipfire.org Git - thirdparty/pdns.git/blob - regression-tests.recursor-dnssec/basicDNSSEC.py
Merge pull request #13743 from Habbie/auth-api-priority-error
[thirdparty/pdns.git] / regression-tests.recursor-dnssec / basicDNSSEC.py
1 import dns
2 from recursortests import RecursorTest
3 import os
4
5 class BasicDNSSEC(RecursorTest):
6 __test__ = False
7 _config_template = """dnssec=validate"""
8
9 @classmethod
10 def setUp(cls):
11 confdir = os.path.join('configs', cls._confdir)
12 cls.wipeRecursorCache(confdir)
13
14 def testSecureAnswer(self):
15 res = self.sendQuery('ns.secure.example.', 'A')
16 expected = dns.rrset.from_text('ns.secure.example.', 0, dns.rdataclass.IN, 'A', '{prefix}.10'.format(prefix=self._PREFIX))
17
18 self.assertRcodeEqual(res, dns.rcode.NOERROR)
19 self.assertMatchingRRSIGInAnswer(res, expected)
20 self.assertMessageIsAuthenticated(res)
21
22 def testInsecureAnswer(self):
23 res = self.sendQuery('node1.insecure.example.', 'A')
24
25 self.assertNoRRSIGsInAnswer(res)
26 self.assertRcodeEqual(res, dns.rcode.NOERROR)
27
28 # now we request the DS for insecure.example., which does not exist,
29 # to check that we correctly get the SOA and not just the denial proof
30 # that the recursor received on the delegation from example. to insecure.example.
31 res = self.sendQuery('insecure.example.', 'DS')
32 self.assertRcodeEqual(res, dns.rcode.NOERROR)
33 self.assertMessageIsAuthenticated(res)
34 self.assertAuthorityHasSOA(res)
35
36 def testBogusAnswer(self):
37 res = self.sendQuery('ted.bogus.example.', 'A')
38
39 self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
40 self.assertAnswerEmpty(res)
41
42 def testSecureNXDOMAIN(self):
43 res = self.sendQuery('nxdomain.secure.example.', 'A')
44
45 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
46
47 def testInsecureNXDOMAIN(self):
48 res = self.sendQuery('nxdomain.insecure.example.', 'A')
49
50 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
51
52 def testBogusNXDOMAIN(self):
53 res = self.sendQuery('nxdomain.bogus.example.', 'A')
54
55 self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
56
57 def testSecureOptoutAnswer(self):
58 res = self.sendQuery('node1.secure.optout.example.', 'A')
59 expected = dns.rrset.from_text('node1.secure.optout.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.8')
60
61 self.assertRcodeEqual(res, dns.rcode.NOERROR)
62 self.assertMatchingRRSIGInAnswer(res, expected)
63 self.assertMessageIsAuthenticated(res)
64
65 def testInsecureOptoutAnswer(self):
66 res = self.sendQuery('node1.insecure.optout.example.', 'A')
67
68 self.assertRcodeEqual(res, dns.rcode.NOERROR)
69 self.assertNoRRSIGsInAnswer(res)
70
71 def testSecureSubtreeInZoneAnswer(self):
72 res = self.sendQuery('host1.sub.secure.example.', 'A')
73 expected = dns.rrset.from_text('host1.sub.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.11')
74
75 self.assertRcodeEqual(res, dns.rcode.NOERROR)
76 self.assertMatchingRRSIGInAnswer(res, expected)
77 self.assertMessageIsAuthenticated(res)
78
79 def testSecureSubtreeInZoneNXDOMAIN(self):
80 res = self.sendQuery('host2.sub.secure.example.', 'A')
81
82 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
83 self.assertMessageIsAuthenticated(res)
84
85 def testSecureWildcardAnswer(self):
86 res = self.sendQuery('something.wildcard.secure.example.', 'A')
87 expected = dns.rrset.from_text('something.wildcard.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.10')
88
89 self.assertRcodeEqual(res, dns.rcode.NOERROR)
90 self.assertMatchingRRSIGInAnswer(res, expected)
91 self.assertMessageIsAuthenticated(res)
92
93 def testSecureCNAMEWildCardAnswer(self):
94 res = self.sendQuery('something.cnamewildcard.secure.example.', 'A')
95 expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
96 expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
97
98 self.assertRcodeEqual(res, dns.rcode.NOERROR)
99 self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
100 self.assertMatchingRRSIGInAnswer(res, expectedA)
101 self.assertMessageIsAuthenticated(res)
102
103 def testSecureCNAMEWildCardNXDOMAIN(self):
104 # the answer to this query reaches the UDP truncation threshold, so let's use TCP
105 res = self.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A', useTCP=True)
106 expectedCNAME = dns.rrset.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'doesnotexist.secure.example.')
107
108 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
109 self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
110 self.assertMessageIsAuthenticated(res)
111
112 def testSecureNoData(self):
113 res = self.sendQuery('host1.secure.example.', 'AAAA')
114
115 self.assertRcodeEqual(res, dns.rcode.NOERROR)
116 self.assertAnswerEmpty(res)
117 self.assertAuthorityHasSOA(res)
118 self.assertMessageIsAuthenticated(res)
119
120 def testSecureCNAMENoData(self):
121 res = self.sendQuery('cname.secure.example.', 'AAAA')
122 expectedCNAME = dns.rrset.from_text('cname.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
123
124 self.assertRcodeEqual(res, dns.rcode.NOERROR)
125 self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
126 self.assertAuthorityHasSOA(res)
127 self.assertMessageIsAuthenticated(res)
128
129 def testSecureWildCardNoData(self):
130 res = self.sendQuery('something.cnamewildcard.secure.example.', 'AAAA')
131 expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
132
133 self.assertRcodeEqual(res, dns.rcode.NOERROR)
134 self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
135 self.assertAuthorityHasSOA(res)
136 self.assertMessageIsAuthenticated(res)
137
138 def testInsecureToSecureCNAMEAnswer(self):
139 res = self.sendQuery('cname-to-secure.insecure.example.', 'A')
140 expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
141 expectedCNAME = dns.rrset.from_text('cname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
142
143 self.assertRcodeEqual(res, dns.rcode.NOERROR)
144 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
145 self.assertRRsetInAnswer(res, expectedCNAME)
146 self.assertMatchingRRSIGInAnswer(res, expectedA)
147
148 def testSecureToInsecureCNAMEAnswer(self):
149 res = self.sendQuery('cname-to-insecure.secure.example.', 'A')
150 expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
151 expectedCNAME = dns.rrset.from_text('cname-to-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.secure.example.')
152
153 self.assertRcodeEqual(res, dns.rcode.NOERROR)
154 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
155 self.assertRRsetInAnswer(res, expectedA)
156 self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
157
158 def testSecureDNAMEToSecureAnswer(self):
159 res = self.sendQuery('host1.dname-secure.secure.example.', 'A')
160 expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
161 expectedCNAME = dns.rrset.from_text('host1.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.')
162 expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21')
163
164 self.assertRcodeEqual(res, dns.rcode.NOERROR)
165 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
166 self.assertRRsetInAnswer(res, expectedA)
167 self.assertRRsetInAnswer(res, expectedCNAME)
168 self.assertRRsetInAnswer(res, expectedDNAME)
169 self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
170 self.assertMatchingRRSIGInAnswer(res, expectedA)
171
172 def testSecureDNAMEToSecureNXDomain(self):
173 res = self.sendQuery('nxd.dname-secure.secure.example.', 'A')
174 expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
175 expectedCNAME = dns.rrset.from_text('nxd.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.')
176
177 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
178 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
179 self.assertRRsetInAnswer(res, expectedCNAME)
180 self.assertRRsetInAnswer(res, expectedDNAME)
181 self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
182
183 def testSecureDNAMEToInsecureAnswer(self):
184 res = self.sendQuery('node1.dname-insecure.secure.example.', 'A')
185 expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.')
186 expectedCNAME = dns.rrset.from_text('node1.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.')
187 expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
188
189 self.assertRcodeEqual(res, dns.rcode.NOERROR)
190 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
191 self.assertRRsetInAnswer(res, expectedA)
192 self.assertRRsetInAnswer(res, expectedCNAME)
193 self.assertRRsetInAnswer(res, expectedDNAME)
194 self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
195
196 def testSecureDNAMEToInsecureNXDomain(self):
197 res = self.sendQuery('nxd.dname-insecure.secure.example.', 'A')
198 expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.')
199 expectedCNAME = dns.rrset.from_text('nxd.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.insecure.example.')
200
201 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
202 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
203 self.assertRRsetInAnswer(res, expectedCNAME)
204 self.assertRRsetInAnswer(res, expectedDNAME)
205 self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
206
207 def testSecureDNAMEToBogusAnswer(self):
208 res = self.sendQuery('ted.dname-bogus.secure.example.', 'A')
209
210 self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
211 self.assertAnswerEmpty(res)
212
213 def testSecureDNAMEToBogusNXDomain(self):
214 res = self.sendQuery('nxd.dname-bogus.secure.example.', 'A')
215
216 self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
217 self.assertAnswerEmpty(res)
218
219 def testInsecureDNAMEtoSecureAnswer(self):
220 res = self.sendQuery('host1.dname-to-secure.insecure.example.', 'A')
221 expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
222 expectedCNAME = dns.rrset.from_text('host1.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.')
223 expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21')
224
225 self.assertRcodeEqual(res, dns.rcode.NOERROR)
226 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
227 self.assertRRsetInAnswer(res, expectedA)
228 self.assertRRsetInAnswer(res, expectedCNAME)
229 self.assertRRsetInAnswer(res, expectedDNAME)
230 self.assertMatchingRRSIGInAnswer(res, expectedA)
231
232 def testSecureDNAMEToSecureCNAMEAnswer(self):
233 res = self.sendQuery('cname-to-secure.dname-secure.secure.example.', 'A')
234
235 expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
236 expectedCNAME1 = dns.rrset.from_text('cname-to-secure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-secure.dname-secure.example.')
237 expectedCNAME2 = dns.rrset.from_text('cname-to-secure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
238 expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
239
240 self.assertRcodeEqual(res, dns.rcode.NOERROR)
241 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
242 self.assertRRsetInAnswer(res, expectedA)
243 self.assertRRsetInAnswer(res, expectedCNAME1)
244 self.assertRRsetInAnswer(res, expectedCNAME2)
245 self.assertMatchingRRSIGInAnswer(res, expectedCNAME2)
246 self.assertRRsetInAnswer(res, expectedDNAME)
247 self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
248 self.assertMatchingRRSIGInAnswer(res, expectedA)
249
250 def testSecureDNAMEToInsecureCNAMEAnswer(self):
251 res = self.sendQuery('cname-to-insecure.dname-secure.secure.example.', 'A')
252
253 expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
254 expectedCNAME1 = dns.rrset.from_text('cname-to-insecure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-insecure.dname-secure.example.')
255 expectedCNAME2 = dns.rrset.from_text('cname-to-insecure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.')
256 expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
257
258 self.assertRcodeEqual(res, dns.rcode.NOERROR)
259 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
260 self.assertRRsetInAnswer(res, expectedA)
261 self.assertRRsetInAnswer(res, expectedCNAME1)
262 self.assertRRsetInAnswer(res, expectedCNAME2)
263 self.assertMatchingRRSIGInAnswer(res, expectedCNAME2)
264 self.assertRRsetInAnswer(res, expectedDNAME)
265 self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
266
267 def testSecureDNAMEToBogusCNAMEAnswer(self):
268 res = self.sendQuery('cname-to-bogus.dname-secure.secure.example.', 'A')
269
270 self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
271 self.assertAnswerEmpty(res)
272
273 def testInsecureDNAMEtoSecureNXDomain(self):
274 res = self.sendQuery('nxd.dname-to-secure.insecure.example.', 'A')
275 expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
276 expectedCNAME = dns.rrset.from_text('nxd.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.')
277
278 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
279 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
280 self.assertRRsetInAnswer(res, expectedCNAME)
281 self.assertRRsetInAnswer(res, expectedDNAME)