[thirdparty/pdns.git] / regression-tests.recursor-dnssec / test_NTA.py

import dns
from recursortests import RecursorTest

class testSimple(RecursorTest):
    _confdir = 'NTA'

    _config_template = """dnssec=validate"""
    _lua_config_file = """addNTA("bogus.example")
addNTA('secure.optout.example', 'Should be Insecure, even with DS configured')
addTA('secure.optout.example', '64215 13 1 b88284d7a8d8605c398e8942262f97b9a5a31787')"""

    def testDirectNTA(self):
        """Ensure a direct query to a bogus name with an NTA is Insecure"""

        msg = dns.message.make_query("ted.bogus.example.", dns.rdatatype.A)
        msg.flags = dns.flags.from_text('AD RD')
        msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))

        res = self.sendUDPQuery(msg)

        self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
        self.assertRcodeEqual(res, dns.rcode.NOERROR)

    def testCNAMENTA(self):
        """Ensure a CNAME from a secure zone to a bogus one with an NTA is Insecure"""
        msg = dns.message.make_query("cname-to-bogus.secure.example.", dns.rdatatype.A)
        msg.flags = dns.flags.from_text('AD RD')
        msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))

        res = self.sendUDPQuery(msg)

        self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
        self.assertRcodeEqual(res, dns.rcode.NOERROR)

    def testSecureWithNTAandDS(self):
        """#4391: when there is a TA *and* NTA configured for a name, the result must be insecure"""
        msg = dns.message.make_query("node1.secure.optout.example.", dns.rdatatype.A)
        msg.flags = dns.flags.from_text('AD RD')
        msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))

        res = self.sendUDPQuery(msg)

        self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
        self.assertRcodeEqual(res, dns.rcode.NOERROR)
Commit	Line	Data
faa3b298 PL	1	import dns
	2	from recursortests import RecursorTest
	3
	4	class testSimple(RecursorTest):
	5	_confdir = 'NTA'
	6
	7	_config_template = """dnssec=validate"""
b9173568 PL	8	_lua_config_file = """addNTA("bogus.example")
b9173568 PL	9	addNTA('secure.optout.example', 'Should be Insecure, even with DS configured')
8f29eeaa	10	addTA('secure.optout.example', '64215 13 1 b88284d7a8d8605c398e8942262f97b9a5a31787')"""
faa3b298 PL	11
	12	def testDirectNTA(self):
	13	"""Ensure a direct query to a bogus name with an NTA is Insecure"""
	14
	15	msg = dns.message.make_query("ted.bogus.example.", dns.rdatatype.A)
	16	msg.flags = dns.flags.from_text('AD RD')
	17	msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))
	18
	19	res = self.sendUDPQuery(msg)
	20
	21	self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
	22	self.assertRcodeEqual(res, dns.rcode.NOERROR)
	23
	24	def testCNAMENTA(self):
	25	"""Ensure a CNAME from a secure zone to a bogus one with an NTA is Insecure"""
	26	msg = dns.message.make_query("cname-to-bogus.secure.example.", dns.rdatatype.A)
	27	msg.flags = dns.flags.from_text('AD RD')
	28	msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))
	29
	30	res = self.sendUDPQuery(msg)
	31
	32	self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
	33	self.assertRcodeEqual(res, dns.rcode.NOERROR)
b9173568 PL	34
	35	def testSecureWithNTAandDS(self):
	36	"""#4391: when there is a TA and NTA configured for a name, the result must be insecure"""
	37	msg = dns.message.make_query("node1.secure.optout.example.", dns.rdatatype.A)
	38	msg.flags = dns.flags.from_text('AD RD')
	39	msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))
	40
	41	res = self.sendUDPQuery(msg)
	42
	43	self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
	44	self.assertRcodeEqual(res, dns.rcode.NOERROR)