]>
git.ipfire.org Git - thirdparty/pdns.git/blob - regression-tests.recursor-dnssec/basicDNSSEC.py
2 from recursortests
import RecursorTest
5 class BasicDNSSEC(RecursorTest
):
7 _config_template
= """dnssec=validate"""
11 confdir
= os
.path
.join('configs', cls
._confdir
)
12 cls
.wipeRecursorCache(confdir
)
14 def testSecureAnswer(self
):
15 res
= self
.sendQuery('ns.secure.example.', 'A')
16 expected
= dns
.rrset
.from_text('ns.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '{prefix}.10'.format(prefix
=self
._PREFIX
))
18 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
19 self
.assertMatchingRRSIGInAnswer(res
, expected
)
20 self
.assertMessageIsAuthenticated(res
)
22 def testInsecureAnswer(self
):
23 res
= self
.sendQuery('node1.insecure.example.', 'A')
25 self
.assertNoRRSIGsInAnswer(res
)
26 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
28 def testBogusAnswer(self
):
29 res
= self
.sendQuery('ted.bogus.example.', 'A')
31 self
.assertRcodeEqual(res
, dns
.rcode
.SERVFAIL
)
32 self
.assertAnswerEmpty(res
)
34 def testSecureNXDOMAIN(self
):
35 res
= self
.sendQuery('nxdomain.secure.example.', 'A')
37 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
39 def testInsecureNXDOMAIN(self
):
40 res
= self
.sendQuery('nxdomain.insecure.example.', 'A')
42 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
44 def testBogusNXDOMAIN(self
):
45 res
= self
.sendQuery('nxdomain.bogus.example.', 'A')
47 self
.assertRcodeEqual(res
, dns
.rcode
.SERVFAIL
)
49 def testSecureOptoutAnswer(self
):
50 res
= self
.sendQuery('node1.secure.optout.example.', 'A')
51 expected
= dns
.rrset
.from_text('node1.secure.optout.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.8')
53 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
54 self
.assertMatchingRRSIGInAnswer(res
, expected
)
55 self
.assertMessageIsAuthenticated(res
)
57 def testInsecureOptoutAnswer(self
):
58 res
= self
.sendQuery('node1.insecure.optout.example.', 'A')
60 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
61 self
.assertNoRRSIGsInAnswer(res
)
63 def testSecureSubtreeInZoneAnswer(self
):
64 res
= self
.sendQuery('host1.sub.secure.example.', 'A')
65 expected
= dns
.rrset
.from_text('host1.sub.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.11')
67 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
68 self
.assertMatchingRRSIGInAnswer(res
, expected
)
69 self
.assertMessageIsAuthenticated(res
)
71 def testSecureSubtreeInZoneNXDOMAIN(self
):
72 res
= self
.sendQuery('host2.sub.secure.example.', 'A')
74 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
75 self
.assertMessageIsAuthenticated(res
)
77 def testSecureWildcardAnswer(self
):
78 res
= self
.sendQuery('something.wildcard.secure.example.', 'A')
79 expected
= dns
.rrset
.from_text('something.wildcard.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.10')
81 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
82 self
.assertMatchingRRSIGInAnswer(res
, expected
)
83 self
.assertMessageIsAuthenticated(res
)
85 def testSecureCNAMEWildCardAnswer(self
):
86 res
= self
.sendQuery('something.cnamewildcard.secure.example.', 'A')
87 expectedCNAME
= dns
.rrset
.from_text('something.cnamewildcard.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.secure.example.')
88 expectedA
= dns
.rrset
.from_text('host1.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.2')
90 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
91 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)
92 self
.assertMatchingRRSIGInAnswer(res
, expectedA
)
93 self
.assertMessageIsAuthenticated(res
)
95 def testSecureCNAMEWildCardNXDOMAIN(self
):
96 # the answer to this query reaches the UDP truncation threshold, so let's use TCP
97 res
= self
.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A', useTCP
=True)
98 expectedCNAME
= dns
.rrset
.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'doesnotexist.secure.example.')
100 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
101 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)
102 self
.assertMessageIsAuthenticated(res
)
104 def testSecureNoData(self
):
105 res
= self
.sendQuery('host1.secure.example.', 'AAAA')
107 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
108 self
.assertAnswerEmpty(res
)
109 self
.assertAuthorityHasSOA(res
)
110 self
.assertMessageIsAuthenticated(res
)
112 def testSecureCNAMENoData(self
):
113 res
= self
.sendQuery('cname.secure.example.', 'AAAA')
114 expectedCNAME
= dns
.rrset
.from_text('cname.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.secure.example.')
116 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
117 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)
118 self
.assertAuthorityHasSOA(res
)
119 self
.assertMessageIsAuthenticated(res
)
121 def testSecureWildCardNoData(self
):
122 res
= self
.sendQuery('something.cnamewildcard.secure.example.', 'AAAA')
123 expectedCNAME
= dns
.rrset
.from_text('something.cnamewildcard.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.secure.example.')
125 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
126 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)
127 self
.assertAuthorityHasSOA(res
)
128 self
.assertMessageIsAuthenticated(res
)
130 def testInsecureToSecureCNAMEAnswer(self
):
131 res
= self
.sendQuery('cname-to-secure.insecure.example.', 'A')
132 expectedA
= dns
.rrset
.from_text('host1.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.2')
133 expectedCNAME
= dns
.rrset
.from_text('cname-to-secure.insecure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.secure.example.')
135 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
136 self
.assertMessageHasFlags(res
, ['QR', 'RD', 'RA'], ['DO'])
137 self
.assertRRsetInAnswer(res
, expectedCNAME
)
138 self
.assertMatchingRRSIGInAnswer(res
, expectedA
)
140 def testSecureToInsecureCNAMEAnswer(self
):
141 res
= self
.sendQuery('cname-to-insecure.secure.example.', 'A')
142 expectedA
= dns
.rrset
.from_text('node1.insecure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.6')
143 expectedCNAME
= dns
.rrset
.from_text('cname-to-insecure.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'node1.secure.example.')
145 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
146 self
.assertMessageHasFlags(res
, ['QR', 'RD', 'RA'], ['DO'])
147 self
.assertRRsetInAnswer(res
, expectedA
)
148 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)
150 def testSecureDNAMEToSecureAnswer(self
):
151 res
= self
.sendQuery('host1.dname-secure.secure.example.', 'A')
152 expectedDNAME
= dns
.rrset
.from_text('dname-secure.secure.example.', 0, dns
.rdataclass
.IN
, 'DNAME', 'dname-secure.example.')
153 expectedCNAME
= dns
.rrset
.from_text('host1.dname-secure.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.dname-secure.example.')
154 expectedA
= dns
.rrset
.from_text('host1.dname-secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.21')
156 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
157 self
.assertMessageHasFlags(res
, ['QR', 'RD', 'RA', 'AD'], ['DO'])
158 self
.assertRRsetInAnswer(res
, expectedA
)
159 self
.assertRRsetInAnswer(res
, expectedCNAME
)
160 self
.assertRRsetInAnswer(res
, expectedDNAME
)
161 self
.assertMatchingRRSIGInAnswer(res
, expectedDNAME
)
162 self
.assertMatchingRRSIGInAnswer(res
, expectedA
)
164 def testSecureDNAMEToSecureNXDomain(self
):
165 res
= self
.sendQuery('nxd.dname-secure.secure.example.', 'A')
166 expectedDNAME
= dns
.rrset
.from_text('dname-secure.secure.example.', 0, dns
.rdataclass
.IN
, 'DNAME', 'dname-secure.example.')
167 expectedCNAME
= dns
.rrset
.from_text('nxd.dname-secure.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'nxd.dname-secure.example.')
169 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
170 self
.assertMessageHasFlags(res
, ['QR', 'RD', 'RA', 'AD'], ['DO'])
171 self
.assertRRsetInAnswer(res
, expectedCNAME
)
172 self
.assertRRsetInAnswer(res
, expectedDNAME
)
173 self
.assertMatchingRRSIGInAnswer(res
, expectedDNAME
)
175 def testSecureDNAMEToInsecureAnswer(self
):
176 res
= self
.sendQuery('node1.dname-insecure.secure.example.', 'A')
177 expectedDNAME
= dns
.rrset
.from_text('dname-insecure.secure.example.', 0, dns
.rdataclass
.IN
, 'DNAME', 'insecure.example.')
178 expectedCNAME
= dns
.rrset
.from_text('node1.dname-insecure.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'node1.insecure.example.')
179 expectedA
= dns
.rrset
.from_text('node1.insecure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.6')
181 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
182 self
.assertMessageHasFlags(res
, ['QR', 'RD', 'RA'], ['DO'])
183 self
.assertRRsetInAnswer(res
, expectedA
)
184 self
.assertRRsetInAnswer(res
, expectedCNAME
)
185 self
.assertRRsetInAnswer(res
, expectedDNAME
)
186 self
.assertMatchingRRSIGInAnswer(res
, expectedDNAME
)
188 def testSecureDNAMEToInsecureNXDomain(self
):
189 res
= self
.sendQuery('nxd.dname-insecure.secure.example.', 'A')
190 expectedDNAME
= dns
.rrset
.from_text('dname-insecure.secure.example.', 0, dns
.rdataclass
.IN
, 'DNAME', 'insecure.example.')
191 expectedCNAME
= dns
.rrset
.from_text('nxd.dname-insecure.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'nxd.insecure.example.')
193 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
194 self
.assertMessageHasFlags(res
, ['QR', 'RD', 'RA'], ['DO'])
195 self
.assertRRsetInAnswer(res
, expectedCNAME
)
196 self
.assertRRsetInAnswer(res
, expectedDNAME
)
197 self
.assertMatchingRRSIGInAnswer(res
, expectedDNAME
)
199 def testSecureDNAMEToBogusAnswer(self
):
200 res
= self
.sendQuery('ted.dname-bogus.secure.example.', 'A')
202 self
.assertRcodeEqual(res
, dns
.rcode
.SERVFAIL
)
203 self
.assertAnswerEmpty(res
)
205 def testSecureDNAMEToBogusNXDomain(self
):
206 res
= self
.sendQuery('nxd.dname-bogus.secure.example.', 'A')
208 self
.assertRcodeEqual(res
, dns
.rcode
.SERVFAIL
)
209 self
.assertAnswerEmpty(res
)
211 def testInsecureDNAMEtoSecureAnswer(self
):
212 res
= self
.sendQuery('host1.dname-to-secure.insecure.example.', 'A')
213 expectedDNAME
= dns
.rrset
.from_text('dname-to-secure.insecure.example.', 0, dns
.rdataclass
.IN
, 'DNAME', 'dname-secure.example.')
214 expectedCNAME
= dns
.rrset
.from_text('host1.dname-to-secure.insecure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.dname-secure.example.')
215 expectedA
= dns
.rrset
.from_text('host1.dname-secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.21')
217 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
218 self
.assertMessageHasFlags(res
, ['QR', 'RD', 'RA'], ['DO'])
219 self
.assertRRsetInAnswer(res
, expectedA
)
220 self
.assertRRsetInAnswer(res
, expectedCNAME
)
221 self
.assertRRsetInAnswer(res
, expectedDNAME
)
222 self
.assertMatchingRRSIGInAnswer(res
, expectedA
)
224 def testSecureDNAMEToSecureCNAMEAnswer(self
):
225 res
= self
.sendQuery('cname-to-secure.dname-secure.secure.example.', 'A')
227 expectedDNAME
= dns
.rrset
.from_text('dname-secure.secure.example.', 0, dns
.rdataclass
.IN
, 'DNAME', 'dname-secure.example.')
228 expectedCNAME1
= dns
.rrset
.from_text('cname-to-secure.dname-secure.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'cname-to-secure.dname-secure.example.')
229 expectedCNAME2
= dns
.rrset
.from_text('cname-to-secure.dname-secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.secure.example.')
230 expectedA
= dns
.rrset
.from_text('host1.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.2')
232 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
233 self
.assertMessageHasFlags(res
, ['QR', 'RD', 'RA', 'AD'], ['DO'])
234 self
.assertRRsetInAnswer(res
, expectedA
)
235 self
.assertRRsetInAnswer(res
, expectedCNAME1
)
236 self
.assertRRsetInAnswer(res
, expectedCNAME2
)
237 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME2
)
238 self
.assertRRsetInAnswer(res
, expectedDNAME
)
239 self
.assertMatchingRRSIGInAnswer(res
, expectedDNAME
)
240 self
.assertMatchingRRSIGInAnswer(res
, expectedA
)
242 def testSecureDNAMEToInsecureCNAMEAnswer(self
):
243 res
= self
.sendQuery('cname-to-insecure.dname-secure.secure.example.', 'A')
245 expectedDNAME
= dns
.rrset
.from_text('dname-secure.secure.example.', 0, dns
.rdataclass
.IN
, 'DNAME', 'dname-secure.example.')
246 expectedCNAME1
= dns
.rrset
.from_text('cname-to-insecure.dname-secure.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'cname-to-insecure.dname-secure.example.')
247 expectedCNAME2
= dns
.rrset
.from_text('cname-to-insecure.dname-secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'node1.insecure.example.')
248 expectedA
= dns
.rrset
.from_text('node1.insecure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.6')
250 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
251 self
.assertMessageHasFlags(res
, ['QR', 'RD', 'RA'], ['DO'])
252 self
.assertRRsetInAnswer(res
, expectedA
)
253 self
.assertRRsetInAnswer(res
, expectedCNAME1
)
254 self
.assertRRsetInAnswer(res
, expectedCNAME2
)
255 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME2
)
256 self
.assertRRsetInAnswer(res
, expectedDNAME
)
257 self
.assertMatchingRRSIGInAnswer(res
, expectedDNAME
)
259 def testSecureDNAMEToBogusCNAMEAnswer(self
):
260 res
= self
.sendQuery('cname-to-bogus.dname-secure.secure.example.', 'A')
262 self
.assertRcodeEqual(res
, dns
.rcode
.SERVFAIL
)
263 self
.assertAnswerEmpty(res
)
265 def testInsecureDNAMEtoSecureNXDomain(self
):
266 res
= self
.sendQuery('nxd.dname-to-secure.insecure.example.', 'A')
267 expectedDNAME
= dns
.rrset
.from_text('dname-to-secure.insecure.example.', 0, dns
.rdataclass
.IN
, 'DNAME', 'dname-secure.example.')
268 expectedCNAME
= dns
.rrset
.from_text('nxd.dname-to-secure.insecure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'nxd.dname-secure.example.')
270 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
271 self
.assertMessageHasFlags(res
, ['QR', 'RD', 'RA'], ['DO'])
272 self
.assertRRsetInAnswer(res
, expectedCNAME
)
273 self
.assertRRsetInAnswer(res
, expectedDNAME
)