]>
git.ipfire.org Git - thirdparty/pdns.git/blob - regression-tests.recursor-dnssec/test_NTA.py
2 from recursortests
import RecursorTest
4 class testSimple(RecursorTest
):
7 _config_template
= """dnssec=validate"""
8 _lua_config_file
= """addNTA("bogus.example")
9 addNTA('secure.optout.example', 'Should be Insecure, even with DS configured')
10 addTA('secure.optout.example', '64215 13 1 b88284d7a8d8605c398e8942262f97b9a5a31787')"""
12 def testDirectNTA(self
):
13 """Ensure a direct query to a bogus name with an NTA is Insecure"""
15 msg
= dns
.message
.make_query("ted.bogus.example.", dns
.rdatatype
.A
)
16 msg
.flags
= dns
.flags
.from_text('AD RD')
17 msg
.use_edns(edns
=0, ednsflags
=dns
.flags
.edns_from_text('DO'))
19 res
= self
.sendUDPQuery(msg
)
21 self
.assertMessageHasFlags(res
, ['QR', 'RA', 'RD'], ['DO'])
22 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
24 def testCNAMENTA(self
):
25 """Ensure a CNAME from a secure zone to a bogus one with an NTA is Insecure"""
26 msg
= dns
.message
.make_query("cname-to-bogus.secure.example.", dns
.rdatatype
.A
)
27 msg
.flags
= dns
.flags
.from_text('AD RD')
28 msg
.use_edns(edns
=0, ednsflags
=dns
.flags
.edns_from_text('DO'))
30 res
= self
.sendUDPQuery(msg
)
32 self
.assertMessageHasFlags(res
, ['QR', 'RA', 'RD'], ['DO'])
33 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)
35 def testSecureWithNTAandDS(self
):
36 """#4391: when there is a TA *and* NTA configured for a name, the result must be insecure"""
37 msg
= dns
.message
.make_query("node1.secure.optout.example.", dns
.rdatatype
.A
)
38 msg
.flags
= dns
.flags
.from_text('AD RD')
39 msg
.use_edns(edns
=0, ednsflags
=dns
.flags
.edns_from_text('DO'))
41 res
= self
.sendUDPQuery(msg
)
43 self
.assertMessageHasFlags(res
, ['QR', 'RA', 'RD'], ['DO'])
44 self
.assertRcodeEqual(res
, dns
.rcode
.NOERROR
)