From: Otto Moerbeek Date: Wed, 6 Nov 2019 09:48:48 +0000 (+0100) Subject: Test case for 8020 with dnssec enabled X-Git-Tag: dnsdist-1.4.0~17^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be4f19946bf07c92cd58e5f23f5f9ff38ce07119;p=thirdparty%2Fpdns.git Test case for 8020 with dnssec enabled --- diff --git a/pdns/recursordist/test-syncres_cc2.cc b/pdns/recursordist/test-syncres_cc2.cc index 42c2743ba5..4f27cb5525 100644 --- a/pdns/recursordist/test-syncres_cc2.cc +++ b/pdns/recursordist/test-syncres_cc2.cc @@ -510,6 +510,184 @@ BOOST_AUTO_TEST_CASE(test_rfc8020_nothing_underneath) { // reset SyncRes::s_hardenNXD = SyncRes::HardenNXD::DNSSEC; } + +BOOST_AUTO_TEST_CASE(test_rfc8020_nothing_underneath_dnssec) { + std::unique_ptr sr; + initSR(sr, true); + setDNSSECValidation(sr, DNSSECMode::ValidateAll); + + primeHints(); + + const DNSName parent1("com."); + const DNSName parent2("powerdns.com."); + const DNSName target1("www.powerdns.com."); // will be denied + const DNSName target2("foo.www.powerdns.com."); + const DNSName target3("bar.www.powerdns.com."); + const DNSName target4("quux.bar.www.powerdns.com."); + const ComboAddress ns("192.0.2.1:53"); + + testkeysset_t keys; + + auto luaconfsCopy = g_luaconfs.getCopy(); + luaconfsCopy.dsAnchors.clear(); + generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors); + generateKeyMaterial(parent1, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys); + generateKeyMaterial(parent2, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys); + g_luaconfs.setState(luaconfsCopy); + + size_t queriesCount = 0; + + sr->setAsyncCallback([target1,target2,target3,target4,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional& srcmask, boost::optional context, LWResult* res, bool* chained) { + queriesCount++; + + DNSName auth = domain; + if (domain == target1 || domain == target2 || domain == target3 || domain == target4) { + auth = DNSName("powerdns.com."); + } + if (type == QType::DS || type == QType::DNSKEY) { + if (type == QType::DS && (domain == target1 || domain == target2 || domain == target3 || domain == target4)) { + setLWResult(res, RCode::NXDomain, true, false, true); + addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); + addRRSIG(keys, res->d_records, auth, 300); + addNSECRecordToLW(DNSName("wwa.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records); + addRRSIG(keys, res->d_records, auth, 300); + return 1; + } + else { + return genericDSAndDNSKEYHandler(res, domain, auth, type, keys); + } + } + else { + if (isRootServer(ip)) { + setLWResult(res, 0, false, false, true); + addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); + addDS(DNSName("com."), 300, res->d_records, keys); + addRRSIG(keys, res->d_records, DNSName("."), 300); + addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); + return 1; + } + else if (ip == ComboAddress("192.0.2.1:53")) { + if (domain == DNSName("com.")) { + setLWResult(res, 0, true, false, true); + addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); + addRRSIG(keys, res->d_records, domain, 300); + addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); + addRRSIG(keys, res->d_records, domain, 300); + } + else { + setLWResult(res, 0, false, false, true); + addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); + addDS(auth, 300, res->d_records, keys); + addRRSIG(keys, res->d_records, DNSName("com."), 300); + addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); + } + return 1; + } + else if (ip == ComboAddress("192.0.2.2:53")) { + if (type == QType::NS) { + setLWResult(res, 0, true, false, true); + if (domain == DNSName("powerdns.com.")) { + addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); + addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); + addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); + addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); + } + else { + addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); + addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); + addNSECRecordToLW(DNSName("nx.powerdns.com."), DNSName("nz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); + addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); + } + } + else { + setLWResult(res, RCode::NXDomain, true, false, true); + addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); + addRRSIG(keys, res->d_records, auth, 300); + addNSECRecordToLW(DNSName("wwa.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records); + addRRSIG(keys, res->d_records, auth, 300); + /* add wildcard denial */ + addNSECRecordToLW(DNSName("powerdns.com."), DNSName("a.powerdns.com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records); + addRRSIG(keys, res->d_records, auth, 300); + } + return 1; + } + } + + return 0; + }); + + vector ret; + int res = sr->beginResolve(target1, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NXDomain); + BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); + BOOST_CHECK_EQUAL(ret.size(), 6U); + BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 1U); + + ret.clear(); + res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NXDomain); + BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); + BOOST_CHECK_EQUAL(ret.size(), 6U); + BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 1U); + + ret.clear(); + res = sr->beginResolve(target3, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NXDomain); + BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); + BOOST_CHECK_EQUAL(ret.size(), 6U); + BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 1U); + + ret.clear(); + res = sr->beginResolve(target4, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NXDomain); + BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); + BOOST_CHECK_EQUAL(ret.size(), 6U); + BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 1U); + + // Now test without RFC 8020 to see the cache and query count grow + SyncRes::s_hardenNXD = SyncRes::HardenNXD::No; + + // Already cached + ret.clear(); + res = sr->beginResolve(target1, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NXDomain); + BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); + BOOST_CHECK_EQUAL(ret.size(), 6U); + BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 1U); + + // New query + ret.clear(); + res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NXDomain); + BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); + BOOST_CHECK_EQUAL(ret.size(), 6U); + BOOST_CHECK_EQUAL(queriesCount, 11U); + BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 2U); + + ret.clear(); + res = sr->beginResolve(target3, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NXDomain); + BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); + BOOST_CHECK_EQUAL(ret.size(), 6U); + BOOST_CHECK_EQUAL(queriesCount, 13U); + BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 3U); + + ret.clear(); + res = sr->beginResolve(target4, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NXDomain); + BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); + BOOST_CHECK_EQUAL(ret.size(), 6U); + BOOST_CHECK_EQUAL(queriesCount, 15U); + BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 4U); + + // reset + SyncRes::s_hardenNXD = SyncRes::HardenNXD::DNSSEC; +} BOOST_AUTO_TEST_CASE(test_rfc8020_nodata) { std::unique_ptr sr;