BOOST_CHECK_EQUAL(queriesCount, 6U);
}
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_duplicated_nsec3) {
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_duplicated_nsec3)
+{
std::unique_ptr<SyncRes> sr;
initSR(sr, true);
size_t queriesCount = 0;
- sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
- queriesCount++;
+ sr->setAsyncCallback([target, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+ queriesCount++;
- if (type == QType::DS || type == QType::DNSKEY) {
- if (type == QType::DS && domain == target) {
- DNSName auth("com.");
- setLWResult(res, 0, true, false, true);
+ if (type == QType::DS || type == QType::DNSKEY) {
+ if (type == QType::DS && domain == target) {
+ DNSName auth("com.");
+ setLWResult(res, 0, true, false, true);
- addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
- addRRSIG(keys, res->d_records, auth, 300);
- /* add a NSEC3 denying the DS AND the existence of a cut (no NS) */
- /* first the closest encloser */
- addNSEC3UnhashedRecordToLW(DNSName("com."), auth, "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records);
- addRRSIG(keys, res->d_records, auth, 300);
- /* then the next closer */
- addNSEC3NarrowRecordToLW(domain, DNSName("com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records);
- addRRSIG(keys, res->d_records, auth, 300);
- /* a wildcard matches but has no record for this type */
- addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records);
- addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com"));
- return 1;
- }
- return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+ addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+ addRRSIG(keys, res->d_records, auth, 300);
+ /* add a NSEC3 denying the DS AND the existence of a cut (no NS) */
+ /* first the closest encloser */
+ addNSEC3UnhashedRecordToLW(DNSName("com."), auth, "whatever", {QType::A, QType::TXT, QType::RRSIG, QType::NSEC}, 600, res->d_records);
+ addRRSIG(keys, res->d_records, auth, 300);
+ /* then the next closer */
+ addNSEC3NarrowRecordToLW(domain, DNSName("com."), {QType::RRSIG, QType::NSEC}, 600, res->d_records);
+ addRRSIG(keys, res->d_records, auth, 300);
+ /* a wildcard matches but has no record for this type */
+ addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", {QType::AAAA, QType::NSEC, QType::RRSIG}, 600, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com"));
+ return 1;
}
- else {
- if (isRootServer(ip)) {
- setLWResult(res, 0, false, false, true);
- addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
- addDS(DNSName("com."), 300, res->d_records, keys);
- addRRSIG(keys, res->d_records, DNSName("."), 300);
- addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
- return 1;
- }
- else if (ip == ComboAddress("192.0.2.1:53")) {
- setLWResult(res, 0, true, false, true);
- /* no data */
- addRecordToLW(res, DNSName("com."), QType::SOA, "com. com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
- addRRSIG(keys, res->d_records, DNSName("com."), 300);
- /* no record for this name */
- /* first the closest encloser */
- addNSEC3UnhashedRecordToLW(DNSName("com."), DNSName("com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records);
- addRRSIG(keys, res->d_records, DNSName("com."), 300);
- /* !! we duplicate the NSEC3 on purpose, to check deduplication. The RRSIG will have been computed for a RRSET containing only one NSEC3 and should not be valid. */
- addNSEC3UnhashedRecordToLW(DNSName("com."), DNSName("com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records);
- /* then the next closer */
- addNSEC3NarrowRecordToLW(domain, DNSName("com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records);
- addRRSIG(keys, res->d_records, DNSName("com."), 300);
- /* a wildcard matches but has no record for this type */
- addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records);
- addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com"));
- return 1;
- }
+ return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+ }
+ else {
+ if (isRootServer(ip)) {
+ setLWResult(res, 0, false, false, true);
+ addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+ addDS(DNSName("com."), 300, res->d_records, keys);
+ addRRSIG(keys, res->d_records, DNSName("."), 300);
+ addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+ return 1;
}
+ else if (ip == ComboAddress("192.0.2.1:53")) {
+ setLWResult(res, 0, true, false, true);
+ /* no data */
+ addRecordToLW(res, DNSName("com."), QType::SOA, "com. com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+ addRRSIG(keys, res->d_records, DNSName("com."), 300);
+ /* no record for this name */
+ /* first the closest encloser */
+ addNSEC3UnhashedRecordToLW(DNSName("com."), DNSName("com."), "whatever", {QType::A, QType::TXT, QType::RRSIG, QType::NSEC}, 600, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("com."), 300);
+ /* !! we duplicate the NSEC3 on purpose, to check deduplication. The RRSIG will have been computed for a RRSET containing only one NSEC3 and should not be valid. */
+ addNSEC3UnhashedRecordToLW(DNSName("com."), DNSName("com."), "whatever", {QType::A, QType::TXT, QType::RRSIG, QType::NSEC}, 600, res->d_records);
+ /* then the next closer */
+ addNSEC3NarrowRecordToLW(domain, DNSName("com."), {QType::RRSIG, QType::NSEC}, 600, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("com."), 300);
+ /* a wildcard matches but has no record for this type */
+ addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", {QType::AAAA, QType::NSEC, QType::RRSIG}, 600, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com"));
+ return 1;
+ }
+ }
- return 0;
- });
+ return 0;
+ });
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(queriesCount, 6U);
}
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_too_many_iterations) {
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_too_many_iterations)
+{
std::unique_ptr<SyncRes> sr;
initSR(sr, true);
No wrap test case:
a.example.org. -> d.example.org. denies the existence of b.example.org.
*/
- addNSECRecordToLW(DNSName("a.example.org."), DNSName("d.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+ addNSECRecordToLW(DNSName("a.example.org."), DNSName("d.example.org"), {QType::A, QType::TXT, QType::RRSIG, QType::NSEC}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("example.org."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
/* add wildcard denial */
recordContents.clear();
signatureContents.clear();
- addNSECRecordToLW(DNSName("example.org."), DNSName("+.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+ addNSECRecordToLW(DNSName("example.org."), DNSName("+.example.org"), {QType::A, QType::TXT, QType::RRSIG, QType::NSEC}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("example.org."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
Wrap case 1 test case:
z.example.org. -> b.example.org. denies the existence of a.example.org.
*/
- addNSECRecordToLW(DNSName("z.example.org."), DNSName("b.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+ addNSECRecordToLW(DNSName("z.example.org."), DNSName("b.example.org"), {QType::A, QType::TXT, QType::RRSIG, QType::NSEC}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("example.org."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
Wrap case 2 test case:
y.example.org. -> a.example.org. denies the existence of z.example.org.
*/
- addNSECRecordToLW(DNSName("y.example.org."), DNSName("a.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+ addNSECRecordToLW(DNSName("y.example.org."), DNSName("a.example.org"), {QType::A, QType::TXT, QType::RRSIG, QType::NSEC}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("example.org."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
Only one NSEC in the whole zone test case:
a.example.org. -> a.example.org. denies the existence of b.example.org.
*/
- addNSECRecordToLW(DNSName("a.example.org."), DNSName("a.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+ addNSECRecordToLW(DNSName("a.example.org."), DNSName("a.example.org"), {QType::A, QType::TXT, QType::RRSIG, QType::NSEC}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("example.org."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
The RRSIG from "." denies the existence of anything between a. and c.,
including b.
*/
- addNSECRecordToLW(DNSName("a."), DNSName("c."), { QType::NS }, 600, records);
+ addNSECRecordToLW(DNSName("a."), DNSName("c."), {QType::NS}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
/* add wildcard denial */
recordContents.clear();
signatureContents.clear();
- addNSECRecordToLW(DNSName("."), DNSName("+"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+ addNSECRecordToLW(DNSName("."), DNSName("+"), {QType::A, QType::TXT, QType::RRSIG, QType::NSEC}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
signer field that is shorter than the owner name of the NSEC RR) it can't
be used to deny anything except the whole name or a DS.
*/
- addNSECRecordToLW(DNSName("a."), DNSName("b."), { QType::NS }, 600, records);
+ addNSECRecordToLW(DNSName("a."), DNSName("b."), {QType::NS}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
NS should be set if it was proving an insecure delegation, let's check that
we correctly detect that it's not.
*/
- addNSECRecordToLW(DNSName("a."), DNSName("b."), { }, 600, records);
+ addNSECRecordToLW(DNSName("a."), DNSName("b."), {}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
sortedRecords_t recordContents;
vector<shared_ptr<RRSIGRecordContent>> signatureContents;
- addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("a.c.powerdns.com."), { QType::CNAME }, 600, records);
+ addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("a.c.powerdns.com."), {QType::CNAME}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("powerdns.com."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
sortedRecords_t recordContents;
vector<shared_ptr<RRSIGRecordContent>> signatureContents;
- addNSEC3UnhashedRecordToLW(DNSName("a.powerdns.com."), DNSName("powerdns.com."), "whatever", { QType::CNAME }, 600, records);
+ addNSEC3UnhashedRecordToLW(DNSName("a.powerdns.com."), DNSName("powerdns.com."), "whatever", {QType::CNAME}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("powerdns.com."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
sortedRecords_t recordContents;
vector<shared_ptr<RRSIGRecordContent>> signatureContents;
- addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("d.powerdns.com"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+ addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("d.powerdns.com"), {QType::A, QType::TXT, QType::RRSIG, QType::NSEC}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("powerdns.com."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
sortedRecords_t recordContents;
vector<shared_ptr<RRSIGRecordContent>> signatureContents;
- addNSEC3NarrowRecordToLW(DNSName("a.powerdns.com."), DNSName("powerdns.com."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+ addNSEC3NarrowRecordToLW(DNSName("a.powerdns.com."), DNSName("powerdns.com."), {QType::A, QType::TXT, QType::RRSIG, QType::NSEC}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("powerdns.com."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
recordContents.clear();
signatureContents.clear();
records.clear();
- addNSEC3UnhashedRecordToLW(DNSName("powerdns.com."), DNSName("powerdns.com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+ addNSEC3UnhashedRecordToLW(DNSName("powerdns.com."), DNSName("powerdns.com."), "whatever", {QType::A, QType::TXT, QType::RRSIG, QType::NSEC}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("powerdns.com."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
sortedRecords_t recordContents;
vector<shared_ptr<RRSIGRecordContent>> signatureContents;
- addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("a.c.powerdns.com."), { QType::A }, 600, records);
+ addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("a.c.powerdns.com."), {QType::A}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("powerdns.com."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
/* if we add the wildcard denial proof, we should get a NXDOMAIN proof for b.powerdns.com */
recordContents.clear();
signatureContents.clear();
- addNSECRecordToLW(DNSName(").powerdns.com."), DNSName("+.powerdns.com."), { }, 600, records);
+ addNSECRecordToLW(DNSName(").powerdns.com."), DNSName("+.powerdns.com."), {}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("powerdns.com."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
signer field that is shorter than the owner name of the NSEC RR) it can't
be used to deny anything except the whole name or a DS.
*/
- addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", { QType::NS }, 600, records);
+ addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", {QType::NS}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
recordContents.clear();
signatureContents.clear();
records.clear();
- addNSEC3NarrowRecordToLW(DNSName("sub.a."), DNSName("."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC3 }, 600, records);
+ addNSEC3NarrowRecordToLW(DNSName("sub.a."), DNSName("."), {QType::A, QType::TXT, QType::RRSIG, QType::NSEC3}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
recordContents.clear();
signatureContents.clear();
records.clear();
- addNSEC3NarrowRecordToLW(DNSName("*.a."), DNSName("."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC3 }, 600, records);
+ addNSEC3NarrowRecordToLW(DNSName("*.a."), DNSName("."), {QType::A, QType::TXT, QType::RRSIG, QType::NSEC3}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
vector<shared_ptr<RRSIGRecordContent>> signatureContents;
/* adding a NSEC3 with more iterations that we support */
- addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", { QType::AAAA }, 600, records, g_maxNSEC3Iterations + 100);
+ addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", {QType::AAAA}, 600, records, g_maxNSEC3Iterations + 100);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
NS should be set if it was proving an insecure delegation, let's check that
we correctly detect that it's not.
*/
- addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", { }, 600, records);
+ addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", {}, 600, records);
recordContents.insert(records.at(0).d_content);
addRRSIG(keys, records, DNSName("."), 300);
signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));