]>
git.ipfire.org Git - thirdparty/pdns.git/blob - regression-tests.recursor-dnssec/basicDNSSEC.py
2 from recursortests
import RecursorTest
5 class BasicDNSSEC(RecursorTest
):
7 _config_template
= """dnssec=validate"""
11 confdir
= os
.path
.join('configs', cls
._confdir
)
12 cls
.wipeRecursorCache(confdir
)
15 def sendQuery(self
, name
, rdtype
, useTCP
=False):
16 """Helper function that creates the query"""
17 msg
= dns
.message
.make_query(name
, rdtype
, want_dnssec
=True)
18 msg
.flags |
= dns
.flags
.AD
21 return self
.sendTCPQuery(msg
)
22 return self
.sendUDPQuery(msg
)
24 def testSecureAnswer(self
):
25 res
= self
.sendQuery('ns.secure.example.', 'A')
26 expected
= dns
.rrset
.from_text('ns.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '{prefix}.10'.format(prefix
=self
._PREFIX
))
28 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
29 self
.assertMatchingRRSIGInAnswer(res
, expected
)
30 self
.assertMessageIsAuthenticated(res
)
32 def testInsecureAnswer(self
):
33 res
= self
.sendQuery('node1.insecure.example.', 'A')
35 self
.assertNoRRSIGsInAnswer(res
)
36 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
38 def testBogusAnswer(self
):
39 res
= self
.sendQuery('ted.bogus.example.', 'A')
41 self
.assertRcodeEqual(res
, dns
.rcode
.SERVFAIL
)
42 self
.assertAnswerEmpty(res
)
44 def testSecureNXDOMAIN(self
):
45 res
= self
.sendQuery('nxdomain.secure.example.', 'A')
47 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
49 def testInsecureNXDOMAIN(self
):
50 res
= self
.sendQuery('nxdomain.insecure.example.', 'A')
52 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
54 def testBogusNXDOMAIN(self
):
55 res
= self
.sendQuery('nxdomain.bogus.example.', 'A')
57 self
.assertRcodeEqual(res
, dns
.rcode
.SERVFAIL
)
59 def testSecureOptoutAnswer(self
):
60 res
= self
.sendQuery('node1.secure.optout.example.', 'A')
61 expected
= dns
.rrset
.from_text('node1.secure.optout.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.8')
63 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
64 self
.assertMatchingRRSIGInAnswer(res
, expected
)
65 self
.assertMessageIsAuthenticated(res
)
67 def testInsecureOptoutAnswer(self
):
68 res
= self
.sendQuery('node1.insecure.optout.example.', 'A')
70 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
71 self
.assertNoRRSIGsInAnswer(res
)
73 def testSecureSubtreeInZoneAnswer(self
):
74 res
= self
.sendQuery('host1.sub.secure.example.', 'A')
75 expected
= dns
.rrset
.from_text('host1.sub.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.11')
77 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
78 self
.assertMatchingRRSIGInAnswer(res
, expected
)
79 self
.assertMessageIsAuthenticated(res
)
81 def testSecureSubtreeInZoneNXDOMAIN(self
):
82 res
= self
.sendQuery('host2.sub.secure.example.', 'A')
84 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
85 self
.assertMessageIsAuthenticated(res
)
87 def testSecureWildcardAnswer(self
):
88 res
= self
.sendQuery('something.wildcard.secure.example.', 'A')
89 expected
= dns
.rrset
.from_text('something.wildcard.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.10')
91 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
92 self
.assertMatchingRRSIGInAnswer(res
, expected
)
93 self
.assertMessageIsAuthenticated(res
)
95 def testSecureCNAMEWildCardAnswer(self
):
96 res
= self
.sendQuery('something.cnamewildcard.secure.example.', 'A')
97 expectedCNAME
= dns
.rrset
.from_text('something.cnamewildcard.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.secure.example.')
98 expectedA
= dns
.rrset
.from_text('host1.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.2')
100 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
101 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)
102 self
.assertMatchingRRSIGInAnswer(res
, expectedA
)
103 self
.assertMessageIsAuthenticated(res
)
105 def testSecureCNAMEWildCardNXDOMAIN(self
):
106 # the answer to this query reaches the UDP truncation threshold, so let's use TCP
107 res
= self
.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A', useTCP
=True)
108 expectedCNAME
= dns
.rrset
.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'doesntexist.secure.example.')
110 self
.assertRcodeEqual(res
, dns
.rcode
.NXDOMAIN
)
111 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)
112 self
.assertMessageIsAuthenticated(res
)
114 def testSecureNoData(self
):
115 res
= self
.sendQuery('host1.secure.example.', 'AAAA')
117 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
118 self
.assertAnswerEmpty(res
)
119 self
.assertAuthorityHasSOA(res
)
120 self
.assertMessageIsAuthenticated(res
)
122 def testSecureCNAMENoData(self
):
123 res
= self
.sendQuery('cname.secure.example.', 'AAAA')
124 expectedCNAME
= dns
.rrset
.from_text('cname.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.secure.example.')
126 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
127 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)
128 self
.assertAuthorityHasSOA(res
)
129 self
.assertMessageIsAuthenticated(res
)
131 def testSecureWildCardNoData(self
):
132 res
= self
.sendQuery('something.cnamewildcard.secure.example.', 'AAAA')
133 expectedCNAME
= dns
.rrset
.from_text('something.cnamewildcard.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.secure.example.')
135 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
136 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)
137 self
.assertAuthorityHasSOA(res
)
138 self
.assertMessageIsAuthenticated(res
)
140 def testInsecureToSecureCNAMEAnswer(self
):
141 res
= self
.sendQuery('cname-to-secure.insecure.example.', 'A')
142 expectedA
= dns
.rrset
.from_text('host1.secure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.2')
143 expectedCNAME
= dns
.rrset
.from_text('cname-to-secure.insecure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'host1.secure.example.')
145 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
146 self
.assertMessageHasFlags(res
, ['QR', 'RD', 'RA'], ['DO'])
147 self
.assertRRsetInAnswer(res
, expectedCNAME
)
148 self
.assertMatchingRRSIGInAnswer(res
, expectedA
)
150 def testSecureToInsecureCNAMEAnswer(self
):
151 res
= self
.sendQuery('cname-to-insecure.secure.example.', 'A')
152 expectedA
= dns
.rrset
.from_text('node1.insecure.example.', 0, dns
.rdataclass
.IN
, 'A', '192.0.2.6')
153 expectedCNAME
= dns
.rrset
.from_text('cname-to-insecure.secure.example.', 0, dns
.rdataclass
.IN
, 'CNAME', 'node1.secure.example.')
155 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
156 self
.assertMessageHasFlags(res
, ['QR', 'RD', 'RA'], ['DO'])
157 self
.assertRRsetInAnswer(res
, expectedA
)
158 self
.assertMatchingRRSIGInAnswer(res
, expectedCNAME
)