regression-tests.recursor-dnssec/basicDNSSEC.py

   1 import dns
   2 from recursortests import RecursorTest
   3 import os
   4
   5 class BasicDNSSEC(RecursorTest):
   6     __test__ = False
   7     _config_template = """dnssec=validate"""
   8
   9     @classmethod
  10     def setUp(cls):
  11         confdir = os.path.join('configs', cls._confdir)
  12         cls.wipeRecursorCache(confdir)
  13
  14     @classmethod
  15     def sendQuery(self, name, rdtype, useTCP=False):
  16         """Helper function that creates the query"""
  17         msg = dns.message.make_query(name, rdtype, want_dnssec=True)
  18         msg.flags |= dns.flags.AD
  19
  20         if useTCP:
  21             return self.sendTCPQuery(msg)
  22         return self.sendUDPQuery(msg)
  23
  24     def testSecureAnswer(self):
  25         res = self.sendQuery('ns.secure.example.', 'A')
  26         expected = dns.rrset.from_text('ns.secure.example.', 0, dns.rdataclass.IN, 'A', '{prefix}.10'.format(prefix=self._PREFIX))
  27
  28         self.assertRcodeEqual(res, dns.rcode.NOERROR)
  29         self.assertMatchingRRSIGInAnswer(res, expected)
  30         self.assertMessageIsAuthenticated(res)
  31
  32     def testInsecureAnswer(self):
  33         res = self.sendQuery('node1.insecure.example.', 'A')
  34
  35         self.assertNoRRSIGsInAnswer(res)
  36         self.assertRcodeEqual(res, dns.rcode.NOERROR)
  37
  38     def testBogusAnswer(self):
  39         res = self.sendQuery('ted.bogus.example.', 'A')
  40
  41         self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
  42         self.assertAnswerEmpty(res)
  43
  44     def testSecureNXDOMAIN(self):
  45         res = self.sendQuery('nxdomain.secure.example.', 'A')
  46
  47         self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
  48
  49     def testInsecureNXDOMAIN(self):
  50         res = self.sendQuery('nxdomain.insecure.example.', 'A')
  51
  52         self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
  53
  54     def testBogusNXDOMAIN(self):
  55         res = self.sendQuery('nxdomain.bogus.example.', 'A')
  56
  57         self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
  58
  59     def testSecureOptoutAnswer(self):
  60         res = self.sendQuery('node1.secure.optout.example.', 'A')
  61         expected = dns.rrset.from_text('node1.secure.optout.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.8')
  62
  63         self.assertRcodeEqual(res, dns.rcode.NOERROR)
  64         self.assertMatchingRRSIGInAnswer(res, expected)
  65         self.assertMessageIsAuthenticated(res)
  66
  67     def testInsecureOptoutAnswer(self):
  68         res = self.sendQuery('node1.insecure.optout.example.', 'A')
  69
  70         self.assertRcodeEqual(res, dns.rcode.NOERROR)
  71         self.assertNoRRSIGsInAnswer(res)
  72
  73     def testSecureSubtreeInZoneAnswer(self):
  74         res = self.sendQuery('host1.sub.secure.example.', 'A')
  75         expected = dns.rrset.from_text('host1.sub.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.11')
  76
  77         self.assertRcodeEqual(res, dns.rcode.NOERROR)
  78         self.assertMatchingRRSIGInAnswer(res, expected)
  79         self.assertMessageIsAuthenticated(res)
  80
  81     def testSecureSubtreeInZoneNXDOMAIN(self):
  82         res = self.sendQuery('host2.sub.secure.example.', 'A')
  83
  84         self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
  85         self.assertMessageIsAuthenticated(res)
  86
  87     def testSecureWildcardAnswer(self):
  88         res = self.sendQuery('something.wildcard.secure.example.', 'A')
  89         expected = dns.rrset.from_text('something.wildcard.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.10')
  90
  91         self.assertRcodeEqual(res, dns.rcode.NOERROR)
  92         self.assertMatchingRRSIGInAnswer(res, expected)
  93         self.assertMessageIsAuthenticated(res)
  94
  95     def testSecureCNAMEWildCardAnswer(self):
  96         res = self.sendQuery('something.cnamewildcard.secure.example.', 'A')
  97         expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
  98         expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
  99
 100         self.assertRcodeEqual(res, dns.rcode.NOERROR)
 101         self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
 102         self.assertMatchingRRSIGInAnswer(res, expectedA)
 103         self.assertMessageIsAuthenticated(res)
 104
 105     def testSecureCNAMEWildCardNXDOMAIN(self):
 106         # the answer to this query reaches the UDP truncation threshold, so let's use TCP
 107         res = self.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A', useTCP=True)
 108         expectedCNAME = dns.rrset.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'doesntexist.secure.example.')
 109
 110         self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
 111         self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
 112         self.assertMessageIsAuthenticated(res)
 113
 114     def testSecureNoData(self):
 115         res = self.sendQuery('host1.secure.example.', 'AAAA')
 116
 117         self.assertRcodeEqual(res, dns.rcode.NOERROR)
 118         self.assertAnswerEmpty(res)
 119         self.assertAuthorityHasSOA(res)
 120         self.assertMessageIsAuthenticated(res)
 121
 122     def testSecureCNAMENoData(self):
 123         res = self.sendQuery('cname.secure.example.', 'AAAA')
 124         expectedCNAME = dns.rrset.from_text('cname.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
 125
 126         self.assertRcodeEqual(res, dns.rcode.NOERROR)
 127         self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
 128         self.assertAuthorityHasSOA(res)
 129         self.assertMessageIsAuthenticated(res)
 130
 131     def testSecureWildCardNoData(self):
 132         res = self.sendQuery('something.cnamewildcard.secure.example.', 'AAAA')
 133         expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
 134
 135         self.assertRcodeEqual(res, dns.rcode.NOERROR)
 136         self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
 137         self.assertAuthorityHasSOA(res)
 138         self.assertMessageIsAuthenticated(res)
 139
 140     def testInsecureToSecureCNAMEAnswer(self):
 141         res = self.sendQuery('cname-to-secure.insecure.example.', 'A')
 142         expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
 143         expectedCNAME = dns.rrset.from_text('cname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
 144
 145         self.assertRcodeEqual(res, dns.rcode.NOERROR)
 146         self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
 147         self.assertRRsetInAnswer(res, expectedCNAME)
 148         self.assertMatchingRRSIGInAnswer(res, expectedA)
 149
 150     def testSecureToInsecureCNAMEAnswer(self):
 151         res = self.sendQuery('cname-to-insecure.secure.example.', 'A')
 152         expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
 153         expectedCNAME = dns.rrset.from_text('cname-to-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.secure.example.')
 154
 155         self.assertRcodeEqual(res, dns.rcode.NOERROR)
 156         self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
 157         self.assertRRsetInAnswer(res, expectedA)
 158         self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
 159