From: Remi Gacogne Date: Mon, 8 Jan 2018 14:43:47 +0000 (+0100) Subject: rec: Add unit tests to make sure we correctly detect an unsigned DS X-Git-Tag: rec-4.1.1~3^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cd48a0ffec1cbcaee60184a158e6a204d42c24c3;p=thirdparty%2Fpdns.git rec: Add unit tests to make sure we correctly detect an unsigned DS (cherry picked from commit f100caacf6b5fe6624aa3909ad6cb988d7f22148) --- diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc index da270a2eca..a577dfd3f1 100644 --- a/pdns/recursordist/test-syncres_cc.cc +++ b/pdns/recursordist/test-syncres_cc.cc @@ -4241,6 +4241,144 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_algo) { BOOST_CHECK_EQUAL(queriesCount, 2); } +BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds) { + std::unique_ptr sr; + initSR(sr, true); + + setDNSSECValidation(sr, DNSSECMode::ValidateAll); + + primeHints(); + const DNSName target("com."); + const ComboAddress targetAddr("192.0.2.42"); + testkeysset_t keys; + + auto luaconfsCopy = g_luaconfs.getCopy(); + luaconfsCopy.dsAnchors.clear(); + generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors); + generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); + + g_luaconfs.setState(luaconfsCopy); + + size_t queriesCount = 0; + + sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional& srcmask, boost::optional context, std::shared_ptr outgoingLogger, LWResult* res) { + queriesCount++; + + DNSName auth = domain; + + if (type == QType::DS || type == QType::DNSKEY) { + if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys) == 0) { + return 0; + } + + if (type == QType::DS && domain == target) { + /* remove the last record, which is the DS's RRSIG */ + res->d_records.pop_back(); + } + + return 1; + } + + if (isRootServer(ip)) { + setLWResult(res, 0, false, false, true); + addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); + /* Include the DS but omit the RRSIG*/ + addDS(DNSName("com."), 300, res->d_records, keys); + addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); + return 1; + } + + if (ip == ComboAddress("192.0.2.1:53")) { + setLWResult(res, RCode::NoError, true, false, true); + addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); + addRRSIG(keys, res->d_records, auth, 300); + return 1; + } + + return 0; + }); + + vector ret; + int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NoError); + BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); + BOOST_REQUIRE_EQUAL(ret.size(), 2); + BOOST_CHECK_EQUAL(queriesCount, 4); + + /* again, to test the cache */ + ret.clear(); + res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NoError); + BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); + BOOST_REQUIRE_EQUAL(ret.size(), 2); + BOOST_CHECK_EQUAL(queriesCount, 4); + + /* now we ask directly for the DS */ + ret.clear(); + res = sr->beginResolve(DNSName("com."), QType(QType::DS), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NoError); + BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); + BOOST_REQUIRE_EQUAL(ret.size(), 1); + BOOST_CHECK_EQUAL(queriesCount, 4); +} + +BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds_direct) { + std::unique_ptr sr; + initSR(sr, true); + + setDNSSECValidation(sr, DNSSECMode::ValidateAll); + + primeHints(); + const DNSName target("com."); + testkeysset_t keys; + + auto luaconfsCopy = g_luaconfs.getCopy(); + luaconfsCopy.dsAnchors.clear(); + generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors); + generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); + + g_luaconfs.setState(luaconfsCopy); + + size_t queriesCount = 0; + + sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional& srcmask, boost::optional context, std::shared_ptr outgoingLogger, LWResult* res) { + queriesCount++; + + DNSName auth = domain; + + if (type == QType::DS || type == QType::DNSKEY) { + if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys) == 0) { + return 0; + } + + if (type == QType::DS && domain == target) { + /* remove the last record, which is the DS's RRSIG */ + res->d_records.pop_back(); + } + + return 1; + } + + if (isRootServer(ip)) { + setLWResult(res, 0, false, false, true); + addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); + /* Include the DS but omit the RRSIG*/ + addDS(DNSName("com."), 300, res->d_records, keys); + addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); + return 1; + } + + return 0; + }); + + vector ret; + int res = sr->beginResolve(DNSName("com."), QType(QType::DS), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NoError); + BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); + BOOST_REQUIRE_EQUAL(ret.size(), 1); + BOOST_CHECK_EQUAL(queriesCount, 1); +} + BOOST_AUTO_TEST_CASE(test_dnssec_secure_various_algos) { std::unique_ptr sr; initSR(sr, true); @@ -6981,7 +7119,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname) { BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname_glue) { std::unique_ptr sr; - initSR(sr, true, true); + initSR(sr, true); setDNSSECValidation(sr, DNSSECMode::ValidateAll);