]>
git.ipfire.org Git - thirdparty/pdns.git/blob - regression-tests.recursor-dnssec/basicDNSSEC.py
2 from recursortests
import RecursorTest
5 class BasicDNSSEC(RecursorTest
):
7 _config_template
= """dnssec=validate"""
11 confdir
= os
.path
.join('configs', cls
._confdir
)
12 cls
.wipeRecursorCache(confdir
)
14 def testSecureAnswer(self
):
15 res
= self
.sendQuery('ns.secure.example.', 'A')
16 expected
= dns
.rrset
.from_text('ns.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '{prefix}.10'.format(prefix
=self
._PREFIX
))
18 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
19 self
.assertMatchingRRSIGInAnswer(res
, expected
)
20 self
.assertMessageIsAuthenticated(res
)
22 def testInsecureAnswer(self
):
23 res
= self
.sendQuery('node1.insecure.example.', 'A')
25 self
.assertNoRRSIGsInAnswer(res
)
26 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
28 def testBogusAnswer(self
):
29 res
= self
.sendQuery('ted.bogus.example.', 'A')
31 self
.assertRcodeEqual(res
, dns
.rcode
.SERVFAIL
)
32 self
.assertAnswerEmpty(res
)
34 def testSecureNXDOMAIN(self
):
35 res
= self
.sendQuery('nxdomain.secure.example.', 'A')
37 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
39 def testInsecureNXDOMAIN(self
):
40 res
= self
.sendQuery('nxdomain.insecure.example.', 'A')
42 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
44 def testBogusNXDOMAIN(self
):
45 res
= self
.sendQuery('nxdomain.bogus.example.', 'A')
47 self
.assertRcodeEqual(res
, dns
.rcode
.SERVFAIL
)
49 def testSecureOptoutAnswer(self
):
50 res
= self
.sendQuery('node1.secure.optout.example.', 'A')
51 expected
= dns
.rrset
.from_text('node1.secure.optout.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.8')
53 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
54 self
.assertMatchingRRSIGInAnswer(res
, expected
)
55 self
.assertMessageIsAuthenticated(res
)
57 def testInsecureOptoutAnswer(self
):
58 res
= self
.sendQuery('node1.insecure.optout.example.', 'A')
60 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
61 self
.assertNoRRSIGsInAnswer(res
)
63 def testSecureSubtreeInZoneAnswer(self
):
64 res
= self
.sendQuery('host1.sub.secure.example.', 'A')
65 expected
= dns
.rrset
.from_text('host1.sub.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.11')
67 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
68 self
.assertMatchingRRSIGInAnswer(res
, expected
)
69 self
.assertMessageIsAuthenticated(res
)
71 def testSecureSubtreeInZoneNXDOMAIN(self
):
72 res
= self
.sendQuery('host2.sub.secure.example.', 'A')
74 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
75 self
.assertMessageIsAuthenticated(res
)
77 def testSecureWildcardAnswer(self
):
78 res
= self
.sendQuery('something.wildcard.secure.example.', 'A')
79 expected
= dns
.rrset
.from_text('something.wildcard.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.10')
81 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
82 self
.assertMatchingRRSIGInAnswer(res
, expected
)
83 self
.assertMessageIsAuthenticated(res
)
85 def testSecureCNAMEWildCardAnswer(self
):
86 res
= self
.sendQuery('something.cnamewildcard.secure.example.', 'A')
87 expectedCNAME
= dns
.rrset
.from_text('something.cnamewildcard.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.secure.example.')
88 expectedA
= dns
.rrset
.from_text('host1.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.2')
90 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
91 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)
92 self
.assertMatchingRRSIGInAnswer(res
, expectedA
)
93 self
.assertMessageIsAuthenticated(res
)
95 def testSecureCNAMEWildCardNXDOMAIN(self
):
96 # the answer to this query reaches the UDP truncation threshold, so let's use TCP
97 res
= self
.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A', useTCP
=True)
98 expectedCNAME
= dns
.rrset
.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'doesntexist.secure.example.')
100 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
101 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)
102 self
.assertMessageIsAuthenticated(res
)
104 def testSecureNoData(self
):
105 res
= self
.sendQuery('host1.secure.example.', 'AAAA')
107 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
108 self
.assertAnswerEmpty(res
)
109 self
.assertAuthorityHasSOA(res
)
110 self
.assertMessageIsAuthenticated(res
)
112 def testSecureCNAMENoData(self
):
113 res
= self
.sendQuery('cname.secure.example.', 'AAAA')
114 expectedCNAME
= dns
.rrset
.from_text('cname.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.secure.example.')
116 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
117 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)
118 self
.assertAuthorityHasSOA(res
)
119 self
.assertMessageIsAuthenticated(res
)
121 def testSecureWildCardNoData(self
):
122 res
= self
.sendQuery('something.cnamewildcard.secure.example.', 'AAAA')
123 expectedCNAME
= dns
.rrset
.from_text('something.cnamewildcard.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.secure.example.')
125 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
126 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)
127 self
.assertAuthorityHasSOA(res
)
128 self
.assertMessageIsAuthenticated(res
)
130 def testInsecureToSecureCNAMEAnswer(self
):
131 res
= self
.sendQuery('cname-to-secure.insecure.example.', 'A')
132 expectedA
= dns
.rrset
.from_text('host1.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.2')
133 expectedCNAME
= dns
.rrset
.from_text('cname-to-secure.insecure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.secure.example.')
135 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
136 self
.assertMessageHasFlags(res
, ['QR', 'RD', 'RA'], ['DO'])
137 self
.assertRRsetInAnswer(res
, expectedCNAME
)
138 self
.assertMatchingRRSIGInAnswer(res
, expectedA
)
140 def testSecureToInsecureCNAMEAnswer(self
):
141 res
= self
.sendQuery('cname-to-insecure.secure.example.', 'A')
142 expectedA
= dns
.rrset
.from_text('node1.insecure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.6')
143 expectedCNAME
= dns
.rrset
.from_text('cname-to-insecure.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'node1.secure.example.')
145 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
146 self
.assertMessageHasFlags(res
, ['QR', 'RD', 'RA'], ['DO'])
147 self
.assertRRsetInAnswer(res
, expectedA
)
148 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)