X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=regression-tests.recursor-dnssec%2FbasicDNSSEC.py;h=4a71292e9b55d8fdcd8594dcb9e9c3a252b8d8a8;hb=78c0b8ef41505f6bd916a6cda66654f0756a68a6;hp=a630fac178c8fb5f1759ee7b1be8693fd2488a69;hpb=02384baeb9a7ff7f28a4a662eedfb78c9fb6f1b6;p=thirdparty%2Fpdns.git diff --git a/regression-tests.recursor-dnssec/basicDNSSEC.py b/regression-tests.recursor-dnssec/basicDNSSEC.py index a630fac178..4a71292e9b 100644 --- a/regression-tests.recursor-dnssec/basicDNSSEC.py +++ b/regression-tests.recursor-dnssec/basicDNSSEC.py @@ -11,16 +11,6 @@ class BasicDNSSEC(RecursorTest): confdir = os.path.join('configs', cls._confdir) cls.wipeRecursorCache(confdir) - @classmethod - def sendQuery(self, name, rdtype, useTCP=False): - """Helper function that creates the query""" - msg = dns.message.make_query(name, rdtype, want_dnssec=True) - msg.flags |= dns.flags.AD - - if useTCP: - return self.sendTCPQuery(msg) - return self.sendUDPQuery(msg) - def testSecureAnswer(self): res = self.sendQuery('ns.secure.example.', 'A') expected = dns.rrset.from_text('ns.secure.example.', 0, dns.rdataclass.IN, 'A', '{prefix}.10'.format(prefix=self._PREFIX)) @@ -35,6 +25,14 @@ class BasicDNSSEC(RecursorTest): self.assertNoRRSIGsInAnswer(res) self.assertRcodeEqual(res, dns.rcode.NOERROR) + # now we request the DS for insecure.example., which does not exist, + # to check that we correctly get the SOA and not just the denial proof + # that the recursor received on the delegation from example. to insecure.example. + res = self.sendQuery('insecure.example.', 'DS') + self.assertRcodeEqual(res, dns.rcode.NOERROR) + self.assertMessageIsAuthenticated(res) + self.assertAuthorityHasSOA(res) + def testBogusAnswer(self): res = self.sendQuery('ted.bogus.example.', 'A') @@ -105,7 +103,7 @@ class BasicDNSSEC(RecursorTest): def testSecureCNAMEWildCardNXDOMAIN(self): # the answer to this query reaches the UDP truncation threshold, so let's use TCP res = self.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A', useTCP=True) - expectedCNAME = dns.rrset.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'doesntexist.secure.example.') + expectedCNAME = dns.rrset.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'doesnotexist.secure.example.') self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) self.assertMatchingRRSIGInAnswer(res, expectedCNAME) @@ -157,3 +155,127 @@ class BasicDNSSEC(RecursorTest): self.assertRRsetInAnswer(res, expectedA) self.assertMatchingRRSIGInAnswer(res, expectedCNAME) + def testSecureDNAMEToSecureAnswer(self): + res = self.sendQuery('host1.dname-secure.secure.example.', 'A') + expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') + expectedCNAME = dns.rrset.from_text('host1.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.') + expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21') + + self.assertRcodeEqual(res, dns.rcode.NOERROR) + self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO']) + self.assertRRsetInAnswer(res, expectedA) + self.assertRRsetInAnswer(res, expectedCNAME) + self.assertRRsetInAnswer(res, expectedDNAME) + self.assertMatchingRRSIGInAnswer(res, expectedDNAME) + self.assertMatchingRRSIGInAnswer(res, expectedA) + + def testSecureDNAMEToSecureNXDomain(self): + res = self.sendQuery('nxd.dname-secure.secure.example.', 'A') + expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') + expectedCNAME = dns.rrset.from_text('nxd.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.') + + self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) + self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO']) + self.assertRRsetInAnswer(res, expectedCNAME) + self.assertRRsetInAnswer(res, expectedDNAME) + self.assertMatchingRRSIGInAnswer(res, expectedDNAME) + + def testSecureDNAMEToInsecureAnswer(self): + res = self.sendQuery('node1.dname-insecure.secure.example.', 'A') + expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.') + expectedCNAME = dns.rrset.from_text('node1.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.') + expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6') + + self.assertRcodeEqual(res, dns.rcode.NOERROR) + self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) + self.assertRRsetInAnswer(res, expectedA) + self.assertRRsetInAnswer(res, expectedCNAME) + self.assertRRsetInAnswer(res, expectedDNAME) + self.assertMatchingRRSIGInAnswer(res, expectedDNAME) + + def testSecureDNAMEToInsecureNXDomain(self): + res = self.sendQuery('nxd.dname-insecure.secure.example.', 'A') + expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.') + expectedCNAME = dns.rrset.from_text('nxd.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.insecure.example.') + + self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) + self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) + self.assertRRsetInAnswer(res, expectedCNAME) + self.assertRRsetInAnswer(res, expectedDNAME) + self.assertMatchingRRSIGInAnswer(res, expectedDNAME) + + def testSecureDNAMEToBogusAnswer(self): + res = self.sendQuery('ted.dname-bogus.secure.example.', 'A') + + self.assertRcodeEqual(res, dns.rcode.SERVFAIL) + self.assertAnswerEmpty(res) + + def testSecureDNAMEToBogusNXDomain(self): + res = self.sendQuery('nxd.dname-bogus.secure.example.', 'A') + + self.assertRcodeEqual(res, dns.rcode.SERVFAIL) + self.assertAnswerEmpty(res) + + def testInsecureDNAMEtoSecureAnswer(self): + res = self.sendQuery('host1.dname-to-secure.insecure.example.', 'A') + expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') + expectedCNAME = dns.rrset.from_text('host1.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.') + expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21') + + self.assertRcodeEqual(res, dns.rcode.NOERROR) + self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) + self.assertRRsetInAnswer(res, expectedA) + self.assertRRsetInAnswer(res, expectedCNAME) + self.assertRRsetInAnswer(res, expectedDNAME) + self.assertMatchingRRSIGInAnswer(res, expectedA) + + def testSecureDNAMEToSecureCNAMEAnswer(self): + res = self.sendQuery('cname-to-secure.dname-secure.secure.example.', 'A') + + expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') + expectedCNAME1 = dns.rrset.from_text('cname-to-secure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-secure.dname-secure.example.') + expectedCNAME2 = dns.rrset.from_text('cname-to-secure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.') + expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2') + + self.assertRcodeEqual(res, dns.rcode.NOERROR) + self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO']) + self.assertRRsetInAnswer(res, expectedA) + self.assertRRsetInAnswer(res, expectedCNAME1) + self.assertRRsetInAnswer(res, expectedCNAME2) + self.assertMatchingRRSIGInAnswer(res, expectedCNAME2) + self.assertRRsetInAnswer(res, expectedDNAME) + self.assertMatchingRRSIGInAnswer(res, expectedDNAME) + self.assertMatchingRRSIGInAnswer(res, expectedA) + + def testSecureDNAMEToInsecureCNAMEAnswer(self): + res = self.sendQuery('cname-to-insecure.dname-secure.secure.example.', 'A') + + expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') + expectedCNAME1 = dns.rrset.from_text('cname-to-insecure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-insecure.dname-secure.example.') + expectedCNAME2 = dns.rrset.from_text('cname-to-insecure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.') + expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6') + + self.assertRcodeEqual(res, dns.rcode.NOERROR) + self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) + self.assertRRsetInAnswer(res, expectedA) + self.assertRRsetInAnswer(res, expectedCNAME1) + self.assertRRsetInAnswer(res, expectedCNAME2) + self.assertMatchingRRSIGInAnswer(res, expectedCNAME2) + self.assertRRsetInAnswer(res, expectedDNAME) + self.assertMatchingRRSIGInAnswer(res, expectedDNAME) + + def testSecureDNAMEToBogusCNAMEAnswer(self): + res = self.sendQuery('cname-to-bogus.dname-secure.secure.example.', 'A') + + self.assertRcodeEqual(res, dns.rcode.SERVFAIL) + self.assertAnswerEmpty(res) + + def testInsecureDNAMEtoSecureNXDomain(self): + res = self.sendQuery('nxd.dname-to-secure.insecure.example.', 'A') + expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.') + expectedCNAME = dns.rrset.from_text('nxd.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.') + + self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) + self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO']) + self.assertRRsetInAnswer(res, expectedCNAME) + self.assertRRsetInAnswer(res, expectedDNAME)