From: Remi Gacogne Date: Wed, 6 Sep 2017 14:20:25 +0000 (+0200) Subject: rec: Add unit tests for NSEC authenticated denial of existence X-Git-Tag: rec-4.1.0-rc1~49^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=db04449e526afd68c66f4aa46bd027d1b6c7bb0a;p=thirdparty%2Fpdns.git rec: Add unit tests for NSEC authenticated denial of existence --- diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc index 3898169c13..4011b8dae3 100644 --- a/pdns/recursordist/test-syncres_cc.cc +++ b/pdns/recursordist/test-syncres_cc.cc @@ -6767,6 +6767,146 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_nodata) { BOOST_CHECK_EQUAL(queriesCount, 6); } +BOOST_AUTO_TEST_CASE(test_nsec_denial_nowrap) { + init(); + + testkeysset_t keys; + generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); + + vector records; + + vector> recordContents; + vector> signatureContents; + + /* + No wrap test case: + a.example.org. -> d.example.org. denies the existence of b.example.org. + */ + addNSECRecordToLW(DNSName("a.example.org."), DNSName("d.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records); + recordContents.push_back(records.at(0).d_content); + addRRSIG(keys, records, DNSName("example.org."), 300); + signatureContents.push_back(getRR(records.at(1))); + records.clear(); + + ContentSigPair pair; + pair.records = recordContents; + pair.signatures = signatureContents; + cspmap_t denialMap; + denialMap[std::make_pair(DNSName("a.example.org."), QType::NSEC)] = pair; + + dState denialState = getDenial(denialMap, DNSName("b.example.org."), QType::A); + BOOST_CHECK_EQUAL(denialState, NXDOMAIN); + + denialState = getDenial(denialMap, DNSName("d.example.org."), QType::A); + /* let's check that d.example.org. is not denied by this proof */ + BOOST_CHECK_EQUAL(denialState, NODATA); +} + +BOOST_AUTO_TEST_CASE(test_nsec_denial_wrap_case_1) { + init(); + + testkeysset_t keys; + generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); + + vector records; + + vector> recordContents; + vector> signatureContents; + + /* + Wrap case 1 test case: + z.example.org. -> b.example.org. denies the existence of a.example.org. + */ + addNSECRecordToLW(DNSName("z.example.org."), DNSName("b.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records); + recordContents.push_back(records.at(0).d_content); + addRRSIG(keys, records, DNSName("example.org."), 300); + signatureContents.push_back(getRR(records.at(1))); + records.clear(); + + ContentSigPair pair; + pair.records = recordContents; + pair.signatures = signatureContents; + cspmap_t denialMap; + denialMap[std::make_pair(DNSName("z.example.org."), QType::NSEC)] = pair; + + dState denialState = getDenial(denialMap, DNSName("a.example.org."), QType::A); + BOOST_CHECK_EQUAL(denialState, NXDOMAIN); + + denialState = getDenial(denialMap, DNSName("d.example.org."), QType::A); + /* let's check that d.example.org. is not denied by this proof */ + BOOST_CHECK_EQUAL(denialState, NODATA); +} + +BOOST_AUTO_TEST_CASE(test_nsec_denial_wrap_case_2) { + init(); + + testkeysset_t keys; + generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); + + vector records; + + vector> recordContents; + vector> signatureContents; + + /* + Wrap case 2 test case: + y.example.org. -> a.example.org. denies the existence of z.example.org. + */ + addNSECRecordToLW(DNSName("y.example.org."), DNSName("a.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records); + recordContents.push_back(records.at(0).d_content); + addRRSIG(keys, records, DNSName("example.org."), 300); + signatureContents.push_back(getRR(records.at(1))); + records.clear(); + + ContentSigPair pair; + pair.records = recordContents; + pair.signatures = signatureContents; + cspmap_t denialMap; + denialMap[std::make_pair(DNSName("y.example.org."), QType::NSEC)] = pair; + + dState denialState = getDenial(denialMap, DNSName("z.example.org."), QType::A); + BOOST_CHECK_EQUAL(denialState, NXDOMAIN); + + denialState = getDenial(denialMap, DNSName("d.example.org."), QType::A); + /* let's check that d.example.org. is not denied by this proof */ + BOOST_CHECK_EQUAL(denialState, NODATA); +} + +BOOST_AUTO_TEST_CASE(test_nsec_denial_only_one_nsec) { + init(); + + testkeysset_t keys; + generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); + + vector records; + + vector> recordContents; + vector> signatureContents; + + /* + Only one NSEC in the whole zone test case: + a.example.org. -> a.example.org. denies the existence of b.example.org. + */ + addNSECRecordToLW(DNSName("a.example.org."), DNSName("a.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records); + recordContents.push_back(records.at(0).d_content); + addRRSIG(keys, records, DNSName("example.org."), 300); + signatureContents.push_back(getRR(records.at(1))); + records.clear(); + + ContentSigPair pair; + pair.records = recordContents; + pair.signatures = signatureContents; + cspmap_t denialMap; + denialMap[std::make_pair(DNSName("a.example.org."), QType::NSEC)] = pair; + + dState denialState = getDenial(denialMap, DNSName("b.example.org."), QType::A); + BOOST_CHECK_EQUAL(denialState, NXDOMAIN); + + denialState = getDenial(denialMap, DNSName("a.example.org."), QType::A); + /* let's check that d.example.org. is not denied by this proof */ + BOOST_CHECK_EQUAL(denialState, NODATA); +} + /* // cerr<<"asyncresolve called to ask "<