[thirdparty/pdns.git] / pdns / recursordist / test-syncres_cc.cc

#define BOOST_TEST_DYN_LINK
#include <boost/test/unit_test.hpp>

#include "base32.hh"
#include "lua-recursor4.hh"
#include "root-dnssec.hh"
#include "test-syncres_cc.hh"

RecursorStats g_stats;
GlobalStateHolder<LuaConfigItems> g_luaconfs;
GlobalStateHolder<SuffixMatchNode> g_dontThrottleNames;
GlobalStateHolder<NetmaskGroup> g_dontThrottleNetmasks;
std::unique_ptr<MemRecursorCache> s_RC{nullptr};
unsigned int g_numThreads = 1;
bool g_lowercaseOutgoing = false;

/* Fake some required functions we didn't want the trouble to
   link with */
ArgvMap& arg()
{
  static ArgvMap theArg;
  return theArg;
}

void primeRootNSZones(bool)
{
}

bool RecursorLua4::preoutquery(const ComboAddress& ns, const ComboAddress& requestor, const DNSName& query, const QType& qtype, bool isTcp, vector<DNSRecord>& res, int& ret) const
{
  return false;
}

int asyncresolve(const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, const std::shared_ptr<std::vector<std::unique_ptr<RemoteLogger>>>& outgoingLoggers, const std::shared_ptr<std::vector<std::unique_ptr<FrameStreamLogger>>>& fstrmLoggers, const std::set<uint16_t>& exportTypes, LWResult* res, bool* chained)
{
  return 0;
}

/* primeHints() is only here for now because it
   was way too much trouble to link with the real one.
   We should fix this, empty functions are one thing, but this is
   bad.
*/

#include "root-addresses.hh"

void primeHints(void)
{
  vector<DNSRecord> nsset;
  if (!s_RC)
    s_RC = std::unique_ptr<MemRecursorCache>(new MemRecursorCache());

  DNSRecord arr, aaaarr, nsrr;
  nsrr.d_name = g_rootdnsname;
  arr.d_type = QType::A;
  aaaarr.d_type = QType::AAAA;
  nsrr.d_type = QType::NS;
  arr.d_ttl = aaaarr.d_ttl = nsrr.d_ttl = time(nullptr) + 3600000;

  for (char c = 'a'; c <= 'm'; ++c) {
    char templ[40];
    strncpy(templ, "a.root-servers.net.", sizeof(templ) - 1);
    templ[sizeof(templ) - 1] = '\0';
    *templ = c;
    aaaarr.d_name = arr.d_name = DNSName(templ);
    nsrr.d_content = std::make_shared<NSRecordContent>(DNSName(templ));
    arr.d_content = std::make_shared<ARecordContent>(ComboAddress(rootIps4[c - 'a']));
    vector<DNSRecord> aset;
    aset.push_back(arr);
    s_RC->replace(time(nullptr), DNSName(templ), QType(QType::A), aset, vector<std::shared_ptr<RRSIGRecordContent>>(), vector<std::shared_ptr<DNSRecord>>(), true); // auth, nuke it all
    if (rootIps6[c - 'a'] != NULL) {
      aaaarr.d_content = std::make_shared<AAAARecordContent>(ComboAddress(rootIps6[c - 'a']));

      vector<DNSRecord> aaaaset;
      aaaaset.push_back(aaaarr);
      s_RC->replace(time(nullptr), DNSName(templ), QType(QType::AAAA), aaaaset, vector<std::shared_ptr<RRSIGRecordContent>>(), vector<std::shared_ptr<DNSRecord>>(), true);
    }

    nsset.push_back(nsrr);
  }
  s_RC->replace(time(nullptr), g_rootdnsname, QType(QType::NS), nsset, vector<std::shared_ptr<RRSIGRecordContent>>(), vector<std::shared_ptr<DNSRecord>>(), false); // and stuff in the cache
}

LuaConfigItems::LuaConfigItems()
{
  for (const auto& dsRecord : rootDSs) {
    auto ds = std::dynamic_pointer_cast<DSRecordContent>(DSRecordContent::make(dsRecord));
    dsAnchors[g_rootdnsname].insert(*ds);
  }
}

/* Some helpers functions */

void initSR(bool debug)
{
  g_log.setName("test");
  g_log.disableSyslog(true);

  if (debug) {
    g_log.setLoglevel((Logger::Urgency)(6)); // info and up
    g_log.toConsole(Logger::Info);
  }
  else {
    g_log.setLoglevel(Logger::None);
    g_log.toConsole(Logger::Error);
  }

  s_RC = std::unique_ptr<MemRecursorCache>(new MemRecursorCache());

  SyncRes::s_maxqperq = 50;
  SyncRes::s_maxtotusec = 1000 * 7000;
  SyncRes::s_maxdepth = 40;
  SyncRes::s_maxnegttl = 3600;
  SyncRes::s_maxbogusttl = 3600;
  SyncRes::s_maxcachettl = 86400;
  SyncRes::s_packetcachettl = 3600;
  SyncRes::s_packetcacheservfailttl = 60;
  SyncRes::s_serverdownmaxfails = 64;
  SyncRes::s_serverdownthrottletime = 60;
  SyncRes::s_doIPv6 = true;
  SyncRes::s_ecsipv4limit = 24;
  SyncRes::s_ecsipv6limit = 56;
  SyncRes::s_ecsipv4cachelimit = 24;
  SyncRes::s_ecsipv6cachelimit = 56;
  SyncRes::s_ecscachelimitttl = 0;
  SyncRes::s_rootNXTrust = true;
  SyncRes::s_hardenNXD = SyncRes::HardenNXD::DNSSEC;
  SyncRes::s_minimumTTL = 0;
  SyncRes::s_minimumECSTTL = 0;
  SyncRes::s_serverID = "PowerDNS Unit Tests Server ID";
  SyncRes::clearEDNSLocalSubnets();
  SyncRes::addEDNSLocalSubnet("0.0.0.0/0");
  SyncRes::addEDNSLocalSubnet("::/0");
  SyncRes::clearEDNSRemoteSubnets();
  SyncRes::clearEDNSDomains();
  SyncRes::clearDelegationOnly();
  SyncRes::clearDontQuery();
  SyncRes::setECSScopeZeroAddress(Netmask("127.0.0.1/32"));
  SyncRes::s_qnameminimization = false;

  SyncRes::clearNSSpeeds();
  BOOST_CHECK_EQUAL(SyncRes::getNSSpeedsSize(), 0U);
  SyncRes::clearEDNSStatuses();
  BOOST_CHECK_EQUAL(SyncRes::getEDNSStatusesSize(), 0U);
  SyncRes::clearThrottle();
  BOOST_CHECK_EQUAL(SyncRes::getThrottledServersSize(), 0U);
  SyncRes::clearFailedServers();
  BOOST_CHECK_EQUAL(SyncRes::getFailedServersSize(), 0U);

  SyncRes::clearECSStats();

  auto luaconfsCopy = g_luaconfs.getCopy();
  luaconfsCopy.dfe.clear();
  luaconfsCopy.dsAnchors.clear();
  for (const auto& dsRecord : rootDSs) {
    auto ds = std::dynamic_pointer_cast<DSRecordContent>(DSRecordContent::make(dsRecord));
    luaconfsCopy.dsAnchors[g_rootdnsname].insert(*ds);
  }
  luaconfsCopy.negAnchors.clear();
  g_luaconfs.setState(luaconfsCopy);

  g_dnssecmode = DNSSECMode::Off;
  g_dnssecLOG = debug;
  g_maxNSEC3Iterations = 2500;

  ::arg().set("version-string", "string reported on version.pdns or version.bind") = "PowerDNS Unit Tests";
  ::arg().set("rng") = "auto";
  ::arg().set("entropy-source") = "/dev/urandom";
}

void initSR(std::unique_ptr<SyncRes>& sr, bool dnssec, bool debug, time_t fakeNow)
{
  struct timeval now;
  if (fakeNow > 0) {
    now.tv_sec = fakeNow;
    now.tv_usec = 0;
  }
  else {
    Utility::gettimeofday(&now, 0);
  }

  initSR(debug);

  sr = std::unique_ptr<SyncRes>(new SyncRes(now));
  sr->setDoEDNS0(true);
  if (dnssec) {
    sr->setDoDNSSEC(dnssec);
  }

  sr->setLogMode(debug == false ? SyncRes::LogNone : SyncRes::Log);

  SyncRes::setDomainMap(std::make_shared<SyncRes::domainmap_t>());
  SyncRes::clearNegCache();
}

void setDNSSECValidation(std::unique_ptr<SyncRes>& sr, const DNSSECMode& mode)
{
  sr->setDNSSECValidationRequested(true);
  g_dnssecmode = mode;
}

void setLWResult(LWResult* res, int rcode, bool aa, bool tc, bool edns, bool validpacket)
{
  res->d_rcode = rcode;
  res->d_aabit = aa;
  res->d_tcbit = tc;
  res->d_haveEDNS = edns;
  res->d_validpacket = validpacket;
}

void addRecordToLW(LWResult* res, const DNSName& name, uint16_t type, const std::string& content, DNSResourceRecord::Place place, uint32_t ttl)
{
  addRecordToList(res->d_records, name, type, content, place, ttl);
}

void addRecordToLW(LWResult* res, const std::string& name, uint16_t type, const std::string& content, DNSResourceRecord::Place place, uint32_t ttl)
{
  addRecordToLW(res, DNSName(name), type, content, place, ttl);
}

bool isRootServer(const ComboAddress& ip)
{
  if (ip.isIPv4()) {
    for (size_t idx = 0; idx < rootIps4Count; idx++) {
      if (ip.toString() == rootIps4[idx]) {
        return true;
      }
    }
  }
  else {
    for (size_t idx = 0; idx < rootIps6Count; idx++) {
      if (ip.toString() == rootIps6[idx]) {
        return true;
      }
    }
  }

  return false;
}

void computeRRSIG(const DNSSECPrivateKey& dpk, const DNSName& signer, const DNSName& signQName, uint16_t signQType, uint32_t signTTL, uint32_t sigValidity, RRSIGRecordContent& rrc, const sortedRecords_t& toSign, boost::optional<uint8_t> algo, boost::optional<uint32_t> inception, boost::optional<time_t> now)
{
  if (!now) {
    now = time(nullptr);
  }
  DNSKEYRecordContent drc = dpk.getDNSKEY();
  const std::shared_ptr<DNSCryptoKeyEngine> rc = dpk.getKey();

  rrc.d_type = signQType;
  rrc.d_labels = signQName.countLabels() - signQName.isWildcard();
  rrc.d_originalttl = signTTL;
  rrc.d_siginception = inception ? *inception : (*now - 10);
  rrc.d_sigexpire = *now + sigValidity;
  rrc.d_signer = signer;
  rrc.d_tag = 0;
  rrc.d_tag = drc.getTag();
  rrc.d_algorithm = algo ? *algo : drc.d_algorithm;

  std::string msg = getMessageForRRSET(signQName, rrc, toSign);

  rrc.d_signature = rc->sign(msg);
}

typedef std::unordered_map<DNSName, std::pair<DNSSECPrivateKey, DSRecordContent>> testkeysset_t;

bool addRRSIG(const testkeysset_t& keys, std::vector<DNSRecord>& records, const DNSName& signer, uint32_t sigValidity, bool broken, boost::optional<uint8_t> algo, boost::optional<DNSName> wildcard, boost::optional<time_t> now)
{
  if (records.empty()) {
    return false;
  }

  const auto it = keys.find(signer);
  if (it == keys.cend()) {
    throw std::runtime_error("No DNSKEY found for " + signer.toLogString() + ", unable to compute the requested RRSIG");
  }

  size_t recordsCount = records.size();
  const DNSName& name = records[recordsCount - 1].d_name;
  const uint16_t type = records[recordsCount - 1].d_type;

  sortedRecords_t recordcontents;
  for (const auto& record : records) {
    if (record.d_name == name && record.d_type == type) {
      recordcontents.insert(record.d_content);
    }
  }

  RRSIGRecordContent rrc;
  computeRRSIG(it->second.first, signer, wildcard ? *wildcard : records[recordsCount - 1].d_name, records[recordsCount - 1].d_type, records[recordsCount - 1].d_ttl, sigValidity, rrc, recordcontents, algo, boost::none, now);
  if (broken) {
    rrc.d_signature[0] ^= 42;
  }

  DNSRecord rec;
  rec.d_type = QType::RRSIG;
  rec.d_place = records[recordsCount - 1].d_place;
  rec.d_name = records[recordsCount - 1].d_name;
  rec.d_ttl = records[recordsCount - 1].d_ttl;

  rec.d_content = std::make_shared<RRSIGRecordContent>(rrc);
  records.push_back(rec);

  return true;
}

void addDNSKEY(const testkeysset_t& keys, const DNSName& signer, uint32_t ttl, std::vector<DNSRecord>& records)
{
  const auto it = keys.find(signer);
  if (it == keys.cend()) {
    throw std::runtime_error("No DNSKEY found for " + signer.toLogString());
  }

  DNSRecord rec;
  rec.d_place = DNSResourceRecord::ANSWER;
  rec.d_name = signer;
  rec.d_type = QType::DNSKEY;
  rec.d_ttl = ttl;

  rec.d_content = std::make_shared<DNSKEYRecordContent>(it->second.first.getDNSKEY());
  records.push_back(rec);
}

bool addDS(const DNSName& domain, uint32_t ttl, std::vector<DNSRecord>& records, const testkeysset_t& keys, DNSResourceRecord::Place place)
{
  const auto it = keys.find(domain);
  if (it == keys.cend()) {
    return false;
  }

  DNSRecord rec;
  rec.d_name = domain;
  rec.d_type = QType::DS;
  rec.d_place = place;
  rec.d_ttl = ttl;
  rec.d_content = std::make_shared<DSRecordContent>(it->second.second);

  records.push_back(rec);
  return true;
}

void addNSECRecordToLW(const DNSName& domain, const DNSName& next, const std::set<uint16_t>& types, uint32_t ttl, std::vector<DNSRecord>& records)
{
  NSECRecordContent nrc;
  nrc.d_next = next;
  for (const auto& type : types) {
    nrc.set(type);
  }

  DNSRecord rec;
  rec.d_name = domain;
  rec.d_ttl = ttl;
  rec.d_type = QType::NSEC;
  rec.d_content = std::make_shared<NSECRecordContent>(std::move(nrc));
  rec.d_place = DNSResourceRecord::AUTHORITY;

  records.push_back(rec);
}

void addNSEC3RecordToLW(const DNSName& hashedName, const std::string& hashedNext, const std::string& salt, unsigned int iterations, const std::set<uint16_t>& types, uint32_t ttl, std::vector<DNSRecord>& records, bool optOut)
{
  NSEC3RecordContent nrc;
  nrc.d_algorithm = 1;
  nrc.d_flags = optOut ? 1 : 0;
  nrc.d_iterations = iterations;
  nrc.d_salt = salt;
  nrc.d_nexthash = hashedNext;
  for (const auto& type : types) {
    nrc.set(type);
  }

  DNSRecord rec;
  rec.d_name = hashedName;
  rec.d_ttl = ttl;
  rec.d_type = QType::NSEC3;
  rec.d_content = std::make_shared<NSEC3RecordContent>(std::move(nrc));
  rec.d_place = DNSResourceRecord::AUTHORITY;

  records.push_back(rec);
}

void addNSEC3UnhashedRecordToLW(const DNSName& domain, const DNSName& zone, const std::string& next, const std::set<uint16_t>& types, uint32_t ttl, std::vector<DNSRecord>& records, unsigned int iterations, bool optOut)
{
  static const std::string salt = "deadbeef";
  std::string hashed = hashQNameWithSalt(salt, iterations, domain);

  addNSEC3RecordToLW(DNSName(toBase32Hex(hashed)) + zone, next, salt, iterations, types, ttl, records, optOut);
}

void addNSEC3NarrowRecordToLW(const DNSName& domain, const DNSName& zone, const std::set<uint16_t>& types, uint32_t ttl, std::vector<DNSRecord>& records, unsigned int iterations, bool optOut)
{
  static const std::string salt = "deadbeef";
  std::string hashed = hashQNameWithSalt(salt, iterations, domain);
  std::string hashedNext(hashed);
  incrementHash(hashedNext);
  decrementHash(hashed);

  addNSEC3RecordToLW(DNSName(toBase32Hex(hashed)) + zone, hashedNext, salt, iterations, types, ttl, records, optOut);
}

void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys)
{
  auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(algo));
  dcke->create((algo <= 10) ? 2048 : dcke->getBits());
  DNSSECPrivateKey dpk;
  dpk.d_flags = 256;
  dpk.setKey(dcke);
  DSRecordContent ds = makeDSFromDNSKey(name, dpk.getDNSKEY(), digest);
  keys[name] = std::pair<DNSSECPrivateKey, DSRecordContent>(dpk, ds);
}

void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys, map<DNSName, dsmap_t>& dsAnchors)
{
  generateKeyMaterial(name, algo, digest, keys);
  dsAnchors[name].insert(keys[name].second);
}

int genericDSAndDNSKEYHandler(LWResult* res, const DNSName& domain, DNSName auth, int type, const testkeysset_t& keys, bool proveCut, boost::optional<time_t> now, bool nsec3, bool optOut)
{
  if (type == QType::DS) {
    auth.chopOff();

    setLWResult(res, 0, true, false, true);

    if (addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER)) {
      addRRSIG(keys, res->d_records, auth, 300, false, boost::none, boost::none, now);
    }
    else {
      addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);

      /* if the auth zone is signed, we need to provide a secure denial */
      const auto it = keys.find(auth);
      if (it != keys.cend()) {
        /* sign the SOA */
        addRRSIG(keys, res->d_records, auth, 300, false, boost::none, boost::none, now);
        /* add a NSEC denying the DS */
        std::set<uint16_t> types = {nsec3 ? QType::NSEC : QType::NSEC3};
        if (proveCut) {
          types.insert(QType::NS);
        }

        if (!nsec3) {
          addNSECRecordToLW(domain, DNSName("z") + domain, types, 600, res->d_records);
        }
        else {
          addNSEC3UnhashedRecordToLW(domain, auth, (DNSName("z") + domain).toString(), types, 600, res->d_records, 10, optOut);
        }

        addRRSIG(keys, res->d_records, auth, 300, false, boost::none, boost::none, now);
      }
    }

    return 1;
  }

  if (type == QType::DNSKEY) {
    setLWResult(res, 0, true, false, true);
    addDNSKEY(keys, domain, 300, res->d_records);
    addRRSIG(keys, res->d_records, domain, 300);
    return 1;
  }

  return 0;
}

int basicRecordsForQnameMinimization(LWResult* res, const DNSName& domain, int type)
{
  if (domain == DNSName(".") && type == QType::A) {
    setLWResult(res, 0, true);
    addRecordToLW(res, DNSName("."), QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2019042400 1800 900 604800 86400", DNSResourceRecord::AUTHORITY);
    return 1;
  }
  if (domain == DNSName("com") && type == QType::A) {
    setLWResult(res, 0, true);
    addRecordToLW(res, DNSName("com"), QType::NS, "ns1.com", DNSResourceRecord::AUTHORITY);
    addRecordToLW(res, DNSName("ns1.com"), QType::A, "1.2.3.4", DNSResourceRecord::ADDITIONAL);
    return 1;
  }
  if (domain == DNSName("ns1.com") && type == QType::A) {
    setLWResult(res, 0, true);
    addRecordToLW(res, DNSName("ns1.com"), QType::A, "1.2.3.4");
    return 1;
  }
  if (domain == DNSName("powerdns.com") && type == QType::A) {
    setLWResult(res, 0, true);
    addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com", DNSResourceRecord::AUTHORITY);
    addRecordToLW(res, DNSName("ns1.powerdns.com"), QType::A, "4.5.6.7", DNSResourceRecord::ADDITIONAL);
    return 1;
  }
  if (domain == DNSName("powerdns.com") && type == QType::NS) {
    setLWResult(res, 0, true);
    addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com");
    addRecordToLW(res, DNSName("ns1.powerdns.com"), QType::A, "4.5.6.7", DNSResourceRecord::ADDITIONAL);
    return 1;
  }
  return 0;
}
Commit	Line	Data
30ee601a	1	#define BOOST_TEST_DYN_LINK
30ee601a RG	2	#include <boost/test/unit_test.hpp>
30ee601a RG	3
95823c07	4	#include "base32.hh"
30ee601a	5	#include "lua-recursor4.hh"
30ee601a	6	#include "root-dnssec.hh"
86675669	7	#include "test-syncres_cc.hh"
30ee601a	8
30ee601a RG	9	RecursorStats g_stats;
30ee601a RG	10	GlobalStateHolder<LuaConfigItems> g_luaconfs;
559b6c93 PL	11	GlobalStateHolder<SuffixMatchNode> g_dontThrottleNames;
559b6c93 PL	12	GlobalStateHolder<NetmaskGroup> g_dontThrottleNetmasks;
a7956123	13	std::unique_ptr<MemRecursorCache> s_RC{nullptr};
30ee601a	14	unsigned int g_numThreads = 1;
c1c29961	15	bool g_lowercaseOutgoing = false;
30ee601a RG	16
	17	/* Fake some required functions we didn't want the trouble to
	18	link with */
42dcf516	19	ArgvMap& arg()
30ee601a RG	20	{
	21	static ArgvMap theArg;
	22	return theArg;
	23	}
	24
159b1242 OM	25	void primeRootNSZones(bool)
	26	{
	27	}
	28
5899ee54	29	bool RecursorLua4::preoutquery(const ComboAddress& ns, const ComboAddress& requestor, const DNSName& query, const QType& qtype, bool isTcp, vector<DNSRecord>& res, int& ret) const
30ee601a RG	30	{
	31	return false;
	32	}
	33
42dcf516	34	int asyncresolve(const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, const std::shared_ptr<std::vector<std::unique_ptr<RemoteLogger>>>& outgoingLoggers, const std::shared_ptr<std::vector<std::unique_ptr<FrameStreamLogger>>>& fstrmLoggers, const std::set<uint16_t>& exportTypes, LWResult* res, bool* chained)
30ee601a RG	35	{
	36	return 0;
	37	}
	38
	39	/* primeHints() is only here for now because it
	40	was way too much trouble to link with the real one.
	41	We should fix this, empty functions are one thing, but this is
	42	bad.
	43	*/
	44
	45	#include "root-addresses.hh"
	46
	47	void primeHints(void)
	48	{
	49	vector<DNSRecord> nsset;
a7956123 OM	50	if (!s_RC)
a7956123 OM	51	s_RC = std::unique_ptr<MemRecursorCache>(new MemRecursorCache());
30ee601a RG	52
30ee601a RG	53	DNSRecord arr, aaaarr, nsrr;
42dcf516 OM	54	nsrr.d_name = g_rootdnsname;
	55	arr.d_type = QType::A;
	56	aaaarr.d_type = QType::AAAA;
	57	nsrr.d_type = QType::NS;
	58	arr.d_ttl = aaaarr.d_ttl = nsrr.d_ttl = time(nullptr) + 3600000;
30ee601a	59
42dcf516	60	for (char c = 'a'; c <= 'm'; ++c) {
e4f772ce	61	char templ[40];
42dcf516 OM	62	strncpy(templ, "a.root-servers.net.", sizeof(templ) - 1);
	63	templ[sizeof(templ) - 1] = '\0';
	64	*templ = c;
	65	aaaarr.d_name = arr.d_name = DNSName(templ);
	66	nsrr.d_content = std::make_shared<NSRecordContent>(DNSName(templ));
	67	arr.d_content = std::make_shared<ARecordContent>(ComboAddress(rootIps4[c - 'a']));
30ee601a RG	68	vector<DNSRecord> aset;
30ee601a RG	69	aset.push_back(arr);
a7956123	70	s_RC->replace(time(nullptr), DNSName(templ), QType(QType::A), aset, vector<std::shared_ptr<RRSIGRecordContent>>(), vector<std::shared_ptr<DNSRecord>>(), true); // auth, nuke it all
42dcf516 OM	71	if (rootIps6[c - 'a'] != NULL) {
42dcf516 OM	72	aaaarr.d_content = std::make_shared<AAAARecordContent>(ComboAddress(rootIps6[c - 'a']));
30ee601a RG	73
	74	vector<DNSRecord> aaaaset;
	75	aaaaset.push_back(aaaarr);
a7956123	76	s_RC->replace(time(nullptr), DNSName(templ), QType(QType::AAAA), aaaaset, vector<std::shared_ptr<RRSIGRecordContent>>(), vector<std::shared_ptr<DNSRecord>>(), true);
30ee601a RG	77	}
	78
	79	nsset.push_back(nsrr);
	80	}
a7956123	81	s_RC->replace(time(nullptr), g_rootdnsname, QType(QType::NS), nsset, vector<std::shared_ptr<RRSIGRecordContent>>(), vector<std::shared_ptr<DNSRecord>>(), false); // and stuff in the cache
30ee601a RG	82	}
	83
	84	LuaConfigItems::LuaConfigItems()
	85	{
42dcf516 OM	86	for (const auto& dsRecord : rootDSs) {
42dcf516 OM	87	auto ds = std::dynamic_pointer_cast<DSRecordContent>(DSRecordContent::make(dsRecord));
30ee601a RG	88	dsAnchors[g_rootdnsname].insert(*ds);
	89	}
	90	}
	91
	92	/* Some helpers functions */
	93
86675669	94	void initSR(bool debug)
30ee601a	95	{
e6a9dde5 PL	96	g_log.setName("test");
e6a9dde5 PL	97	g_log.disableSyslog(true);
b4c8789a	98
30ee601a	99	if (debug) {
e6a9dde5 PL	100	g_log.setLoglevel((Logger::Urgency)(6)); // info and up
e6a9dde5 PL	101	g_log.toConsole(Logger::Info);
30ee601a	102	}
b4c8789a	103	else {
e6a9dde5 PL	104	g_log.setLoglevel(Logger::None);
e6a9dde5 PL	105	g_log.toConsole(Logger::Error);
b4c8789a	106	}
30ee601a	107
a7956123	108	s_RC = std::unique_ptr<MemRecursorCache>(new MemRecursorCache());
30ee601a	109
30ee601a	110	SyncRes::s_maxqperq = 50;
42dcf516	111	SyncRes::s_maxtotusec = 1000 * 7000;
30ee601a RG	112	SyncRes::s_maxdepth = 40;
30ee601a RG	113	SyncRes::s_maxnegttl = 3600;
b9473937	114	SyncRes::s_maxbogusttl = 3600;
30ee601a RG	115	SyncRes::s_maxcachettl = 86400;
	116	SyncRes::s_packetcachettl = 3600;
	117	SyncRes::s_packetcacheservfailttl = 60;
	118	SyncRes::s_serverdownmaxfails = 64;
	119	SyncRes::s_serverdownthrottletime = 60;
	120	SyncRes::s_doIPv6 = true;
e9f9b8ec RG	121	SyncRes::s_ecsipv4limit = 24;
e9f9b8ec RG	122	SyncRes::s_ecsipv6limit = 56;
bdceeb7e RG	123	SyncRes::s_ecsipv4cachelimit = 24;
bdceeb7e RG	124	SyncRes::s_ecsipv6cachelimit = 56;
2cbe6a45	125	SyncRes::s_ecscachelimitttl = 0;
f58c8379	126	SyncRes::s_rootNXTrust = true;
d40a915b	127	SyncRes::s_hardenNXD = SyncRes::HardenNXD::DNSSEC;
d6e797b8	128	SyncRes::s_minimumTTL = 0;
5cf4b2e7	129	SyncRes::s_minimumECSTTL = 0;
648bcbd1	130	SyncRes::s_serverID = "PowerDNS Unit Tests Server ID";
2fe3354d CH	131	SyncRes::clearEDNSLocalSubnets();
	132	SyncRes::addEDNSLocalSubnet("0.0.0.0/0");
	133	SyncRes::addEDNSLocalSubnet("::/0");
	134	SyncRes::clearEDNSRemoteSubnets();
9065eb05 RG	135	SyncRes::clearEDNSDomains();
	136	SyncRes::clearDelegationOnly();
	137	SyncRes::clearDontQuery();
2fe3354d	138	SyncRes::setECSScopeZeroAddress(Netmask("127.0.0.1/32"));
357d1186	139	SyncRes::s_qnameminimization = false;
648bcbd1	140
a712cb56	141	SyncRes::clearNSSpeeds();
690b86b7	142	BOOST_CHECK_EQUAL(SyncRes::getNSSpeedsSize(), 0U);
a712cb56	143	SyncRes::clearEDNSStatuses();
690b86b7	144	BOOST_CHECK_EQUAL(SyncRes::getEDNSStatusesSize(), 0U);
a712cb56	145	SyncRes::clearThrottle();
690b86b7	146	BOOST_CHECK_EQUAL(SyncRes::getThrottledServersSize(), 0U);
a712cb56	147	SyncRes::clearFailedServers();
690b86b7	148	BOOST_CHECK_EQUAL(SyncRes::getFailedServersSize(), 0U);
a712cb56	149
c9783016 RG	150	SyncRes::clearECSStats();
c9783016 RG	151
648bcbd1 RG	152	auto luaconfsCopy = g_luaconfs.getCopy();
648bcbd1 RG	153	luaconfsCopy.dfe.clear();
8455425c	154	luaconfsCopy.dsAnchors.clear();
42dcf516 OM	155	for (const auto& dsRecord : rootDSs) {
42dcf516 OM	156	auto ds = std::dynamic_pointer_cast<DSRecordContent>(DSRecordContent::make(dsRecord));
8455425c RG	157	luaconfsCopy.dsAnchors[g_rootdnsname].insert(*ds);
	158	}
	159	luaconfsCopy.negAnchors.clear();
648bcbd1 RG	160	g_luaconfs.setState(luaconfsCopy);
648bcbd1 RG	161
8455425c	162	g_dnssecmode = DNSSECMode::Off;
895449a5	163	g_dnssecLOG = debug;
b7c40613	164	g_maxNSEC3Iterations = 2500;
8455425c	165
42dcf516 OM	166	::arg().set("version-string", "string reported on version.pdns or version.bind") = "PowerDNS Unit Tests";
	167	::arg().set("rng") = "auto";
	168	::arg().set("entropy-source") = "/dev/urandom";
30ee601a RG	169	}
30ee601a RG	170
86675669	171	void initSR(std::unique_ptr<SyncRes>& sr, bool dnssec, bool debug, time_t fakeNow)
30ee601a RG	172	{
30ee601a RG	173	struct timeval now;
d6e797b8 RG	174	if (fakeNow > 0) {
	175	now.tv_sec = fakeNow;
	176	now.tv_usec = 0;
	177	}
	178	else {
	179	Utility::gettimeofday(&now, 0);
	180	}
	181
86675669	182	initSR(debug);
895449a5	183
30ee601a	184	sr = std::unique_ptr<SyncRes>(new SyncRes(now));
895449a5	185	sr->setDoEDNS0(true);
0c43f455 RG	186	if (dnssec) {
	187	sr->setDoDNSSEC(dnssec);
	188	}
	189
895449a5 RG	190	sr->setLogMode(debug == false ? SyncRes::LogNone : SyncRes::Log);
895449a5 RG	191
a712cb56 RG	192	SyncRes::setDomainMap(std::make_shared<SyncRes::domainmap_t>());
a712cb56 RG	193	SyncRes::clearNegCache();
30ee601a RG	194	}
30ee601a RG	195
86675669	196	void setDNSSECValidation(std::unique_ptr<SyncRes>& sr, const DNSSECMode& mode)
0c43f455 RG	197	{
	198	sr->setDNSSECValidationRequested(true);
	199	g_dnssecmode = mode;
	200	}
	201
86675669	202	void setLWResult(LWResult* res, int rcode, bool aa, bool tc, bool edns, bool validpacket)
30ee601a RG	203	{
	204	res->d_rcode = rcode;
	205	res->d_aabit = aa;
	206	res->d_tcbit = tc;
	207	res->d_haveEDNS = edns;
269ac73d	208	res->d_validpacket = validpacket;
30ee601a RG	209	}
30ee601a RG	210
86675669	211	void addRecordToLW(LWResult* res, const DNSName& name, uint16_t type, const std::string& content, DNSResourceRecord::Place place, uint32_t ttl)
d6e797b8 RG	212	{
d6e797b8 RG	213	addRecordToList(res->d_records, name, type, content, place, ttl);
30ee601a RG	214	}
30ee601a RG	215
86675669	216	void addRecordToLW(LWResult* res, const std::string& name, uint16_t type, const std::string& content, DNSResourceRecord::Place place, uint32_t ttl)
30ee601a RG	217	{
	218	addRecordToLW(res, DNSName(name), type, content, place, ttl);
	219	}
	220
86675669	221	bool isRootServer(const ComboAddress& ip)
30ee601a	222	{
8455425c RG	223	if (ip.isIPv4()) {
	224	for (size_t idx = 0; idx < rootIps4Count; idx++) {
	225	if (ip.toString() == rootIps4[idx]) {
	226	return true;
	227	}
30ee601a RG	228	}
30ee601a RG	229	}
8455425c RG	230	else {
	231	for (size_t idx = 0; idx < rootIps6Count; idx++) {
	232	if (ip.toString() == rootIps6[idx]) {
	233	return true;
	234	}
30ee601a RG	235	}
30ee601a RG	236	}
8455425c	237
30ee601a RG	238	return false;
	239	}
	240
c1e7b833	241	void computeRRSIG(const DNSSECPrivateKey& dpk, const DNSName& signer, const DNSName& signQName, uint16_t signQType, uint32_t signTTL, uint32_t sigValidity, RRSIGRecordContent& rrc, const sortedRecords_t& toSign, boost::optional<uint8_t> algo, boost::optional<uint32_t> inception, boost::optional<time_t> now)
8455425c	242	{
1e2e06f1 RG	243	if (!now) {
	244	now = time(nullptr);
	245	}
8455425c RG	246	DNSKEYRecordContent drc = dpk.getDNSKEY();
	247	const std::shared_ptr<DNSCryptoKeyEngine> rc = dpk.getKey();
	248
	249	rrc.d_type = signQType;
	250	rrc.d_labels = signQName.countLabels() - signQName.isWildcard();
	251	rrc.d_originalttl = signTTL;
1e2e06f1 RG	252	rrc.d_siginception = inception ? inception : (now - 10);
1e2e06f1 RG	253	rrc.d_sigexpire = *now + sigValidity;
8455425c RG	254	rrc.d_signer = signer;
	255	rrc.d_tag = 0;
	256	rrc.d_tag = drc.getTag();
3d5ebf10	257	rrc.d_algorithm = algo ? *algo : drc.d_algorithm;
8455425c RG	258
	259	std::string msg = getMessageForRRSET(signQName, rrc, toSign);
	260
	261	rrc.d_signature = rc->sign(msg);
	262	}
	263
42dcf516	264	typedef std::unordered_map<DNSName, std::pair<DNSSECPrivateKey, DSRecordContent>> testkeysset_t;
b7f378d1	265
86675669	266	bool addRRSIG(const testkeysset_t& keys, std::vector<DNSRecord>& records, const DNSName& signer, uint32_t sigValidity, bool broken, boost::optional<uint8_t> algo, boost::optional<DNSName> wildcard, boost::optional<time_t> now)
8455425c RG	267	{
8455425c RG	268	if (records.empty()) {
5374b03b	269	return false;
8455425c RG	270	}
	271
	272	const auto it = keys.find(signer);
	273	if (it == keys.cend()) {
86f1af1c	274	throw std::runtime_error("No DNSKEY found for " + signer.toLogString() + ", unable to compute the requested RRSIG");
8455425c RG	275	}
	276
	277	size_t recordsCount = records.size();
42dcf516 OM	278	const DNSName& name = records[recordsCount - 1].d_name;
42dcf516 OM	279	const uint16_t type = records[recordsCount - 1].d_type;
8455425c	280
c1e7b833	281	sortedRecords_t recordcontents;
f0c604d5	282	for (const auto& record : records) {
8455425c	283	if (record.d_name == name && record.d_type == type) {
c1e7b833	284	recordcontents.insert(record.d_content);
8455425c RG	285	}
	286	}
	287
	288	RRSIGRecordContent rrc;
42dcf516	289	computeRRSIG(it->second.first, signer, wildcard ? *wildcard : records[recordsCount - 1].d_name, records[recordsCount - 1].d_type, records[recordsCount - 1].d_ttl, sigValidity, rrc, recordcontents, algo, boost::none, now);
3d5ebf10 RG	290	if (broken) {
	291	rrc.d_signature[0] ^= 42;
	292	}
8455425c RG	293
8455425c RG	294	DNSRecord rec;
dbbef467	295	rec.d_type = QType::RRSIG;
42dcf516 OM	296	rec.d_place = records[recordsCount - 1].d_place;
	297	rec.d_name = records[recordsCount - 1].d_name;
	298	rec.d_ttl = records[recordsCount - 1].d_ttl;
8455425c RG	299
	300	rec.d_content = std::make_shared<RRSIGRecordContent>(rrc);
	301	records.push_back(rec);
5374b03b RG	302
5374b03b RG	303	return true;
8455425c RG	304	}
8455425c RG	305
86675669	306	void addDNSKEY(const testkeysset_t& keys, const DNSName& signer, uint32_t ttl, std::vector<DNSRecord>& records)
8455425c RG	307	{
	308	const auto it = keys.find(signer);
	309	if (it == keys.cend()) {
86f1af1c	310	throw std::runtime_error("No DNSKEY found for " + signer.toLogString());
8455425c RG	311	}
	312
	313	DNSRecord rec;
	314	rec.d_place = DNSResourceRecord::ANSWER;
	315	rec.d_name = signer;
	316	rec.d_type = QType::DNSKEY;
	317	rec.d_ttl = ttl;
	318
b7f378d1	319	rec.d_content = std::make_shared<DNSKEYRecordContent>(it->second.first.getDNSKEY());
8455425c RG	320	records.push_back(rec);
	321	}
	322
86675669	323	bool addDS(const DNSName& domain, uint32_t ttl, std::vector<DNSRecord>& records, const testkeysset_t& keys, DNSResourceRecord::Place place)
8455425c	324	{
b7f378d1 RG	325	const auto it = keys.find(domain);
b7f378d1 RG	326	if (it == keys.cend()) {
5374b03b	327	return false;
8455425c RG	328	}
8455425c RG	329
b7f378d1 RG	330	DNSRecord rec;
	331	rec.d_name = domain;
	332	rec.d_type = QType::DS;
a53e8fe3	333	rec.d_place = place;
b7f378d1 RG	334	rec.d_ttl = ttl;
b7f378d1 RG	335	rec.d_content = std::make_shared<DSRecordContent>(it->second.second);
8455425c	336
b7f378d1	337	records.push_back(rec);
5374b03b	338	return true;
8455425c RG	339	}
8455425c RG	340
42dcf516	341	void addNSECRecordToLW(const DNSName& domain, const DNSName& next, const std::set<uint16_t>& types, uint32_t ttl, std::vector<DNSRecord>& records)
8455425c RG	342	{
	343	NSECRecordContent nrc;
	344	nrc.d_next = next;
27d4a65b RG	345	for (const auto& type : types) {
	346	nrc.set(type);
	347	}
8455425c RG	348
	349	DNSRecord rec;
	350	rec.d_name = domain;
	351	rec.d_ttl = ttl;
	352	rec.d_type = QType::NSEC;
27d4a65b	353	rec.d_content = std::make_shared<NSECRecordContent>(std::move(nrc));
8455425c RG	354	rec.d_place = DNSResourceRecord::AUTHORITY;
	355
	356	records.push_back(rec);
	357	}
	358
c1797419	359	void addNSEC3RecordToLW(const DNSName& hashedName, const std::string& hashedNext, const std::string& salt, unsigned int iterations, const std::set<uint16_t>& types, uint32_t ttl, std::vector<DNSRecord>& records, bool optOut)
95823c07 RG	360	{
	361	NSEC3RecordContent nrc;
	362	nrc.d_algorithm = 1;
c1797419	363	nrc.d_flags = optOut ? 1 : 0;
95823c07 RG	364	nrc.d_iterations = iterations;
	365	nrc.d_salt = salt;
	366	nrc.d_nexthash = hashedNext;
27d4a65b RG	367	for (const auto& type : types) {
	368	nrc.set(type);
	369	}
95823c07 RG	370
	371	DNSRecord rec;
	372	rec.d_name = hashedName;
	373	rec.d_ttl = ttl;
	374	rec.d_type = QType::NSEC3;
27d4a65b	375	rec.d_content = std::make_shared<NSEC3RecordContent>(std::move(nrc));
95823c07 RG	376	rec.d_place = DNSResourceRecord::AUTHORITY;
	377
	378	records.push_back(rec);
	379	}
	380
c1797419	381	void addNSEC3UnhashedRecordToLW(const DNSName& domain, const DNSName& zone, const std::string& next, const std::set<uint16_t>& types, uint32_t ttl, std::vector<DNSRecord>& records, unsigned int iterations, bool optOut)
95823c07 RG	382	{
95823c07 RG	383	static const std::string salt = "deadbeef";
95823c07 RG	384	std::string hashed = hashQNameWithSalt(salt, iterations, domain);
95823c07 RG	385
c1797419	386	addNSEC3RecordToLW(DNSName(toBase32Hex(hashed)) + zone, next, salt, iterations, types, ttl, records, optOut);
95823c07 RG	387	}
95823c07 RG	388
c1797419	389	void addNSEC3NarrowRecordToLW(const DNSName& domain, const DNSName& zone, const std::set<uint16_t>& types, uint32_t ttl, std::vector<DNSRecord>& records, unsigned int iterations, bool optOut)
95823c07 RG	390	{
95823c07 RG	391	static const std::string salt = "deadbeef";
95823c07	392	std::string hashed = hashQNameWithSalt(salt, iterations, domain);
95823c07 RG	393	std::string hashedNext(hashed);
	394	incrementHash(hashedNext);
	395	decrementHash(hashed);
	396
c1797419	397	addNSEC3RecordToLW(DNSName(toBase32Hex(hashed)) + zone, hashedNext, salt, iterations, types, ttl, records, optOut);
95823c07 RG	398	}
95823c07 RG	399
86675669	400	void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys)
8455425c RG	401	{
8455425c RG	402	auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(algo));
b7f378d1	403	dcke->create((algo <= 10) ? 2048 : dcke->getBits());
8455425c RG	404	DNSSECPrivateKey dpk;
	405	dpk.d_flags = 256;
	406	dpk.setKey(dcke);
8455425c	407	DSRecordContent ds = makeDSFromDNSKey(name, dpk.getDNSKEY(), digest);
42dcf516	408	keys[name] = std::pair<DNSSECPrivateKey, DSRecordContent>(dpk, ds);
b7f378d1 RG	409	}
b7f378d1 RG	410
42dcf516	411	void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys, map<DNSName, dsmap_t>& dsAnchors)
b7f378d1 RG	412	{
	413	generateKeyMaterial(name, algo, digest, keys);
	414	dsAnchors[name].insert(keys[name].second);
8455425c RG	415	}
8455425c RG	416
c1797419	417	int genericDSAndDNSKEYHandler(LWResult* res, const DNSName& domain, DNSName auth, int type, const testkeysset_t& keys, bool proveCut, boost::optional<time_t> now, bool nsec3, bool optOut)
5374b03b RG	418	{
	419	if (type == QType::DS) {
	420	auth.chopOff();
	421
	422	setLWResult(res, 0, true, false, true);
	423
	424	if (addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER)) {
7ced0738	425	addRRSIG(keys, res->d_records, auth, 300, false, boost::none, boost::none, now);
5374b03b RG	426	}
	427	else {
	428	addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
	429
	430	/* if the auth zone is signed, we need to provide a secure denial */
	431	const auto it = keys.find(auth);
	432	if (it != keys.cend()) {
	433	/* sign the SOA */
7ced0738	434	addRRSIG(keys, res->d_records, auth, 300, false, boost::none, boost::none, now);
5374b03b	435	/* add a NSEC denying the DS */
6850fa5d	436	std::set<uint16_t> types = {nsec3 ? QType::NSEC : QType::NSEC3};
f4de85a3 RG	437	if (proveCut) {
	438	types.insert(QType::NS);
	439	}
	440
c1797419 RG	441	if (!nsec3) {
	442	addNSECRecordToLW(domain, DNSName("z") + domain, types, 600, res->d_records);
	443	}
	444	else {
	445	addNSEC3UnhashedRecordToLW(domain, auth, (DNSName("z") + domain).toString(), types, 600, res->d_records, 10, optOut);
	446	}
	447
7ced0738	448	addRRSIG(keys, res->d_records, auth, 300, false, boost::none, boost::none, now);
5374b03b RG	449	}
	450	}
	451
	452	return 1;
	453	}
	454
	455	if (type == QType::DNSKEY) {
	456	setLWResult(res, 0, true, false, true);
dbbef467 RG	457	addDNSKEY(keys, domain, 300, res->d_records);
dbbef467 RG	458	addRRSIG(keys, res->d_records, domain, 300);
5374b03b RG	459	return 1;
	460	}
	461
	462	return 0;
	463	}
	464
42dcf516 OM	465	int basicRecordsForQnameMinimization(LWResult* res, const DNSName& domain, int type)
42dcf516 OM	466	{
86675669 OM	467	if (domain == DNSName(".") && type == QType::A) {
	468	setLWResult(res, 0, true);
	469	addRecordToLW(res, DNSName("."), QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2019042400 1800 900 604800 86400", DNSResourceRecord::AUTHORITY);
	470	return 1;
648bcbd1	471	}
86675669 OM	472	if (domain == DNSName("com") && type == QType::A) {
	473	setLWResult(res, 0, true);
	474	addRecordToLW(res, DNSName("com"), QType::NS, "ns1.com", DNSResourceRecord::AUTHORITY);
	475	addRecordToLW(res, DNSName("ns1.com"), QType::A, "1.2.3.4", DNSResourceRecord::ADDITIONAL);
	476	return 1;
c9783016	477	}
86675669 OM	478	if (domain == DNSName("ns1.com") && type == QType::A) {
	479	setLWResult(res, 0, true);
	480	addRecordToLW(res, DNSName("ns1.com"), QType::A, "1.2.3.4");
	481	return 1;
c9783016	482	}
86675669 OM	483	if (domain == DNSName("powerdns.com") && type == QType::A) {
	484	setLWResult(res, 0, true);
	485	addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com", DNSResourceRecord::AUTHORITY);
	486	addRecordToLW(res, DNSName("ns1.powerdns.com"), QType::A, "4.5.6.7", DNSResourceRecord::ADDITIONAL);
	487	return 1;
c9783016	488	}
86675669 OM	489	if (domain == DNSName("powerdns.com") && type == QType::NS) {
	490	setLWResult(res, 0, true);
	491	addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com");
	492	addRecordToLW(res, DNSName("ns1.powerdns.com"), QType::A, "4.5.6.7", DNSResourceRecord::ADDITIONAL);
	493	return 1;
c9783016	494	}
86675669	495	return 0;
778bcea6	496	}