1 #define BOOST_TEST_DYN_LINK
2 #include <boost/test/unit_test.hpp>
4 #include "test-syncres_cc.hh"
6 BOOST_AUTO_TEST_SUITE(syncres_cc8
)
8 BOOST_AUTO_TEST_CASE(test_nsec_denial_nowrap
)
13 generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
15 vector
<DNSRecord
> records
;
17 sortedRecords_t recordContents
;
18 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
22 a.example.org. -> d.example.org. denies the existence of b.example.org.
24 addNSECRecordToLW(DNSName("a.example.org."), DNSName("d.example.org"), {QType::A
, QType::TXT
, QType::RRSIG
, QType::NSEC
}, 600, records
);
25 recordContents
.insert(records
.at(0).d_content
);
26 addRRSIG(keys
, records
, DNSName("example.org."), 300);
27 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
31 pair
.records
= recordContents
;
32 pair
.signatures
= signatureContents
;
34 denialMap
[std::make_pair(DNSName("a.example.org."), QType::NSEC
)] = pair
;
36 /* add wildcard denial */
37 recordContents
.clear();
38 signatureContents
.clear();
39 addNSECRecordToLW(DNSName("example.org."), DNSName("+.example.org"), {QType::A
, QType::TXT
, QType::RRSIG
, QType::NSEC
}, 600, records
);
40 recordContents
.insert(records
.at(0).d_content
);
41 addRRSIG(keys
, records
, DNSName("example.org."), 300);
42 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
45 pair
.records
= recordContents
;
46 pair
.signatures
= signatureContents
;
47 denialMap
[std::make_pair(DNSName("example.org."), QType::NSEC
)] = pair
;
49 dState denialState
= getDenial(denialMap
, DNSName("b.example.org."), QType::A
, false, false);
50 BOOST_CHECK_EQUAL(denialState
, NXDOMAIN
);
52 denialState
= getDenial(denialMap
, DNSName("d.example.org."), QType::A
, false, false);
53 /* let's check that d.example.org. is not denied by this proof */
54 BOOST_CHECK_EQUAL(denialState
, NODATA
);
57 BOOST_AUTO_TEST_CASE(test_nsec_denial_wrap_case_1
)
62 generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
64 vector
<DNSRecord
> records
;
66 sortedRecords_t recordContents
;
67 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
70 Wrap case 1 test case:
71 z.example.org. -> b.example.org. denies the existence of a.example.org.
73 addNSECRecordToLW(DNSName("z.example.org."), DNSName("b.example.org"), {QType::A
, QType::TXT
, QType::RRSIG
, QType::NSEC
}, 600, records
);
74 recordContents
.insert(records
.at(0).d_content
);
75 addRRSIG(keys
, records
, DNSName("example.org."), 300);
76 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
80 pair
.records
= recordContents
;
81 pair
.signatures
= signatureContents
;
83 denialMap
[std::make_pair(DNSName("z.example.org."), QType::NSEC
)] = pair
;
85 dState denialState
= getDenial(denialMap
, DNSName("a.example.org."), QType::A
, false, false);
86 BOOST_CHECK_EQUAL(denialState
, NXDOMAIN
);
88 denialState
= getDenial(denialMap
, DNSName("d.example.org."), QType::A
, false, false);
89 /* let's check that d.example.org. is not denied by this proof */
90 BOOST_CHECK_EQUAL(denialState
, NODATA
);
93 BOOST_AUTO_TEST_CASE(test_nsec_denial_wrap_case_2
)
98 generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
100 vector
<DNSRecord
> records
;
102 sortedRecords_t recordContents
;
103 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
106 Wrap case 2 test case:
107 y.example.org. -> a.example.org. denies the existence of z.example.org.
109 addNSECRecordToLW(DNSName("y.example.org."), DNSName("a.example.org"), {QType::A
, QType::TXT
, QType::RRSIG
, QType::NSEC
}, 600, records
);
110 recordContents
.insert(records
.at(0).d_content
);
111 addRRSIG(keys
, records
, DNSName("example.org."), 300);
112 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
116 pair
.records
= recordContents
;
117 pair
.signatures
= signatureContents
;
119 denialMap
[std::make_pair(DNSName("y.example.org."), QType::NSEC
)] = pair
;
121 dState denialState
= getDenial(denialMap
, DNSName("z.example.org."), QType::A
, false, false);
122 BOOST_CHECK_EQUAL(denialState
, NXDOMAIN
);
124 denialState
= getDenial(denialMap
, DNSName("d.example.org."), QType::A
, false, false);
125 /* let's check that d.example.org. is not denied by this proof */
126 BOOST_CHECK_EQUAL(denialState
, NODATA
);
129 BOOST_AUTO_TEST_CASE(test_nsec_denial_only_one_nsec
)
134 generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
136 vector
<DNSRecord
> records
;
138 sortedRecords_t recordContents
;
139 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
142 Only one NSEC in the whole zone test case:
143 a.example.org. -> a.example.org. denies the existence of b.example.org.
145 addNSECRecordToLW(DNSName("a.example.org."), DNSName("a.example.org"), {QType::A
, QType::TXT
, QType::RRSIG
, QType::NSEC
}, 600, records
);
146 recordContents
.insert(records
.at(0).d_content
);
147 addRRSIG(keys
, records
, DNSName("example.org."), 300);
148 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
152 pair
.records
= recordContents
;
153 pair
.signatures
= signatureContents
;
155 denialMap
[std::make_pair(DNSName("a.example.org."), QType::NSEC
)] = pair
;
157 dState denialState
= getDenial(denialMap
, DNSName("b.example.org."), QType::A
, false, false);
158 BOOST_CHECK_EQUAL(denialState
, NXDOMAIN
);
160 denialState
= getDenial(denialMap
, DNSName("a.example.org."), QType::A
, false, false);
161 /* let's check that d.example.org. is not denied by this proof */
162 BOOST_CHECK_EQUAL(denialState
, NODATA
);
165 BOOST_AUTO_TEST_CASE(test_nsec_root_nxd_denial
)
170 generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
172 vector
<DNSRecord
> records
;
174 sortedRecords_t recordContents
;
175 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
178 The RRSIG from "." denies the existence of anything between a. and c.,
181 addNSECRecordToLW(DNSName("a."), DNSName("c."), {QType::NS
}, 600, records
);
182 recordContents
.insert(records
.at(0).d_content
);
183 addRRSIG(keys
, records
, DNSName("."), 300);
184 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
188 pair
.records
= recordContents
;
189 pair
.signatures
= signatureContents
;
191 denialMap
[std::make_pair(DNSName("a."), QType::NSEC
)] = pair
;
193 /* add wildcard denial */
194 recordContents
.clear();
195 signatureContents
.clear();
196 addNSECRecordToLW(DNSName("."), DNSName("+"), {QType::A
, QType::TXT
, QType::RRSIG
, QType::NSEC
}, 600, records
);
197 recordContents
.insert(records
.at(0).d_content
);
198 addRRSIG(keys
, records
, DNSName("."), 300);
199 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
202 pair
.records
= recordContents
;
203 pair
.signatures
= signatureContents
;
204 denialMap
[std::make_pair(DNSName("."), QType::NSEC
)] = pair
;
206 dState denialState
= getDenial(denialMap
, DNSName("b."), QType::A
, false, false);
207 BOOST_CHECK_EQUAL(denialState
, NXDOMAIN
);
210 BOOST_AUTO_TEST_CASE(test_nsec_ancestor_nxqtype_denial
)
215 generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
217 vector
<DNSRecord
> records
;
219 sortedRecords_t recordContents
;
220 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
223 The RRSIG from "." denies the existence of any type except NS at a.
224 However since it's an ancestor delegation NSEC (NS bit set, SOA bit clear,
225 signer field that is shorter than the owner name of the NSEC RR) it can't
226 be used to deny anything except the whole name or a DS.
228 addNSECRecordToLW(DNSName("a."), DNSName("b."), {QType::NS
}, 600, records
);
229 recordContents
.insert(records
.at(0).d_content
);
230 addRRSIG(keys
, records
, DNSName("."), 300);
231 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
235 pair
.records
= recordContents
;
236 pair
.signatures
= signatureContents
;
238 denialMap
[std::make_pair(DNSName("a."), QType::NSEC
)] = pair
;
240 /* RFC 6840 section 4.1 "Clarifications on Nonexistence Proofs":
241 Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume
242 nonexistence of any RRs below that zone cut, which include all RRs at
243 that (original) owner name other than DS RRs, and all RRs below that
244 owner name regardless of type.
247 dState denialState
= getDenial(denialMap
, DNSName("a."), QType::A
, false, false);
248 /* no data means the qname/qtype is not denied, because an ancestor
249 delegation NSEC can only deny the DS */
250 BOOST_CHECK_EQUAL(denialState
, NODATA
);
252 /* it can not be used to deny any RRs below that owner name either */
253 denialState
= getDenial(denialMap
, DNSName("sub.a."), QType::A
, false, false);
254 BOOST_CHECK_EQUAL(denialState
, NODATA
);
256 denialState
= getDenial(denialMap
, DNSName("a."), QType::DS
, true, true);
257 BOOST_CHECK_EQUAL(denialState
, NXQTYPE
);
260 BOOST_AUTO_TEST_CASE(test_nsec_insecure_delegation_denial
)
265 generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
267 vector
<DNSRecord
> records
;
269 sortedRecords_t recordContents
;
270 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
273 * RFC 5155 section 8.9:
274 * If there is an NSEC3 RR present in the response that matches the
275 * delegation name, then the validator MUST ensure that the NS bit is
276 * set and that the DS bit is not set in the Type Bit Maps field of the
280 The RRSIG from "." denies the existence of any type at a.
281 NS should be set if it was proving an insecure delegation, let's check that
282 we correctly detect that it's not.
284 addNSECRecordToLW(DNSName("a."), DNSName("b."), {}, 600, records
);
285 recordContents
.insert(records
.at(0).d_content
);
286 addRRSIG(keys
, records
, DNSName("."), 300);
287 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
291 pair
.records
= recordContents
;
292 pair
.signatures
= signatureContents
;
294 denialMap
[std::make_pair(DNSName("a."), QType::NSEC
)] = pair
;
296 /* Insecure because the NS is not set, so while it does
297 denies the DS, it can't prove an insecure delegation */
298 dState denialState
= getDenial(denialMap
, DNSName("a."), QType::DS
, true, true);
299 BOOST_CHECK_EQUAL(denialState
, NODATA
);
302 BOOST_AUTO_TEST_CASE(test_nsec_nxqtype_cname
)
307 generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
309 vector
<DNSRecord
> records
;
311 sortedRecords_t recordContents
;
312 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
314 addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("a.c.powerdns.com."), {QType::CNAME
}, 600, records
);
315 recordContents
.insert(records
.at(0).d_content
);
316 addRRSIG(keys
, records
, DNSName("powerdns.com."), 300);
317 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
321 pair
.records
= recordContents
;
322 pair
.signatures
= signatureContents
;
324 denialMap
[std::make_pair(DNSName("a.powerdns.com."), QType::NSEC
)] = pair
;
326 /* this NSEC is not valid to deny a.powerdns.com|A since it states that a CNAME exists */
327 dState denialState
= getDenial(denialMap
, DNSName("a.powerdns.com."), QType::A
, true, true);
328 BOOST_CHECK_EQUAL(denialState
, NODATA
);
331 BOOST_AUTO_TEST_CASE(test_nsec3_nxqtype_cname
)
336 generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
338 vector
<DNSRecord
> records
;
340 sortedRecords_t recordContents
;
341 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
343 addNSEC3UnhashedRecordToLW(DNSName("a.powerdns.com."), DNSName("powerdns.com."), "whatever", {QType::CNAME
}, 600, records
);
344 recordContents
.insert(records
.at(0).d_content
);
345 addRRSIG(keys
, records
, DNSName("powerdns.com."), 300);
346 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
349 pair
.records
= recordContents
;
350 pair
.signatures
= signatureContents
;
352 denialMap
[std::make_pair(records
.at(0).d_name
, records
.at(0).d_type
)] = pair
;
355 /* this NSEC3 is not valid to deny a.powerdns.com|A since it states that a CNAME exists */
356 dState denialState
= getDenial(denialMap
, DNSName("a.powerdns.com."), QType::A
, false, true);
357 BOOST_CHECK_EQUAL(denialState
, NODATA
);
360 BOOST_AUTO_TEST_CASE(test_nsec_nxdomain_denial_missing_wildcard
)
365 generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
367 vector
<DNSRecord
> records
;
369 sortedRecords_t recordContents
;
370 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
372 addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("d.powerdns.com"), {QType::A
, QType::TXT
, QType::RRSIG
, QType::NSEC
}, 600, records
);
373 recordContents
.insert(records
.at(0).d_content
);
374 addRRSIG(keys
, records
, DNSName("powerdns.com."), 300);
375 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
379 pair
.records
= recordContents
;
380 pair
.signatures
= signatureContents
;
382 denialMap
[std::make_pair(DNSName("a.powerdns.com."), QType::NSEC
)] = pair
;
384 dState denialState
= getDenial(denialMap
, DNSName("b.powerdns.com."), QType::A
, false, false);
385 BOOST_CHECK_EQUAL(denialState
, NODATA
);
388 BOOST_AUTO_TEST_CASE(test_nsec3_nxdomain_denial_missing_wildcard
)
393 generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
395 vector
<DNSRecord
> records
;
397 sortedRecords_t recordContents
;
398 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
400 addNSEC3NarrowRecordToLW(DNSName("a.powerdns.com."), DNSName("powerdns.com."), {QType::A
, QType::TXT
, QType::RRSIG
, QType::NSEC
}, 600, records
);
401 recordContents
.insert(records
.at(0).d_content
);
402 addRRSIG(keys
, records
, DNSName("powerdns.com."), 300);
403 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
406 pair
.records
= recordContents
;
407 pair
.signatures
= signatureContents
;
409 denialMap
[std::make_pair(records
.at(0).d_name
, records
.at(0).d_type
)] = pair
;
411 /* Add NSEC3 for the closest encloser */
412 recordContents
.clear();
413 signatureContents
.clear();
415 addNSEC3UnhashedRecordToLW(DNSName("powerdns.com."), DNSName("powerdns.com."), "whatever", {QType::A
, QType::TXT
, QType::RRSIG
, QType::NSEC
}, 600, records
);
416 recordContents
.insert(records
.at(0).d_content
);
417 addRRSIG(keys
, records
, DNSName("powerdns.com."), 300);
418 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
420 pair
.records
= recordContents
;
421 pair
.signatures
= signatureContents
;
422 denialMap
[std::make_pair(records
.at(0).d_name
, records
.at(0).d_type
)] = pair
;
424 dState denialState
= getDenial(denialMap
, DNSName("b.powerdns.com."), QType::A
, false, false);
425 BOOST_CHECK_EQUAL(denialState
, NODATA
);
428 BOOST_AUTO_TEST_CASE(test_nsec_ent_denial
)
433 generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
435 vector
<DNSRecord
> records
;
437 sortedRecords_t recordContents
;
438 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
440 addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("a.c.powerdns.com."), {QType::A
}, 600, records
);
441 recordContents
.insert(records
.at(0).d_content
);
442 addRRSIG(keys
, records
, DNSName("powerdns.com."), 300);
443 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
447 pair
.records
= recordContents
;
448 pair
.signatures
= signatureContents
;
450 denialMap
[std::make_pair(DNSName("a.powerdns.com."), QType::NSEC
)] = pair
;
452 /* this NSEC is valid to prove a NXQTYPE at c.powerdns.com because it proves that
454 dState denialState
= getDenial(denialMap
, DNSName("c.powerdns.com."), QType::AAAA
, true, true);
455 BOOST_CHECK_EQUAL(denialState
, NXQTYPE
);
457 /* this NSEC is not valid to prove a NXQTYPE at b.powerdns.com,
458 it could prove a NXDOMAIN if it had an additional wildcard denial */
459 denialState
= getDenial(denialMap
, DNSName("b.powerdns.com."), QType::AAAA
, true, true);
460 BOOST_CHECK_EQUAL(denialState
, NODATA
);
462 /* this NSEC is not valid to prove a NXQTYPE for QType::A at a.c.powerdns.com either */
463 denialState
= getDenial(denialMap
, DNSName("a.c.powerdns.com."), QType::A
, true, true);
464 BOOST_CHECK_EQUAL(denialState
, NODATA
);
466 /* if we add the wildcard denial proof, we should get a NXDOMAIN proof for b.powerdns.com */
467 recordContents
.clear();
468 signatureContents
.clear();
469 addNSECRecordToLW(DNSName(").powerdns.com."), DNSName("+.powerdns.com."), {}, 600, records
);
470 recordContents
.insert(records
.at(0).d_content
);
471 addRRSIG(keys
, records
, DNSName("powerdns.com."), 300);
472 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
474 pair
.records
= recordContents
;
475 pair
.signatures
= signatureContents
;
476 denialMap
[std::make_pair(DNSName(").powerdns.com."), QType::NSEC
)] = pair
;
478 denialState
= getDenial(denialMap
, DNSName("b.powerdns.com."), QType::A
, true, false);
479 BOOST_CHECK_EQUAL(denialState
, NXDOMAIN
);
481 /* this NSEC is NOT valid to prove a NXDOMAIN at c.powerdns.com because it proves that
482 it exists and is an ENT */
483 denialState
= getDenial(denialMap
, DNSName("c.powerdns.com."), QType::AAAA
, true, false);
484 BOOST_CHECK_EQUAL(denialState
, NODATA
);
487 BOOST_AUTO_TEST_CASE(test_nsec3_ancestor_nxqtype_denial
)
492 generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
494 vector
<DNSRecord
> records
;
496 sortedRecords_t recordContents
;
497 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
500 The RRSIG from "." denies the existence of any type except NS at a.
501 However since it's an ancestor delegation NSEC (NS bit set, SOA bit clear,
502 signer field that is shorter than the owner name of the NSEC RR) it can't
503 be used to deny anything except the whole name or a DS.
505 addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", {QType::NS
}, 600, records
);
506 recordContents
.insert(records
.at(0).d_content
);
507 addRRSIG(keys
, records
, DNSName("."), 300);
508 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
511 pair
.records
= recordContents
;
512 pair
.signatures
= signatureContents
;
514 denialMap
[std::make_pair(records
.at(0).d_name
, records
.at(0).d_type
)] = pair
;
517 /* RFC 6840 section 4.1 "Clarifications on Nonexistence Proofs":
518 Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume
519 nonexistence of any RRs below that zone cut, which include all RRs at
520 that (original) owner name other than DS RRs, and all RRs below that
521 owner name regardless of type.
524 dState denialState
= getDenial(denialMap
, DNSName("a."), QType::A
, false, true);
525 /* no data means the qname/qtype is not denied, because an ancestor
526 delegation NSEC3 can only deny the DS */
527 BOOST_CHECK_EQUAL(denialState
, NODATA
);
529 denialState
= getDenial(denialMap
, DNSName("a."), QType::DS
, true, true);
530 BOOST_CHECK_EQUAL(denialState
, NXQTYPE
);
532 /* it can not be used to deny any RRs below that owner name either */
533 /* Add NSEC3 for the next closer */
534 recordContents
.clear();
535 signatureContents
.clear();
537 addNSEC3NarrowRecordToLW(DNSName("sub.a."), DNSName("."), {QType::A
, QType::TXT
, QType::RRSIG
, QType::NSEC3
}, 600, records
);
538 recordContents
.insert(records
.at(0).d_content
);
539 addRRSIG(keys
, records
, DNSName("."), 300);
540 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
542 pair
.records
= recordContents
;
543 pair
.signatures
= signatureContents
;
544 denialMap
[std::make_pair(records
.at(0).d_name
, records
.at(0).d_type
)] = pair
;
546 /* add wildcard denial */
547 recordContents
.clear();
548 signatureContents
.clear();
550 addNSEC3NarrowRecordToLW(DNSName("*.a."), DNSName("."), {QType::A
, QType::TXT
, QType::RRSIG
, QType::NSEC3
}, 600, records
);
551 recordContents
.insert(records
.at(0).d_content
);
552 addRRSIG(keys
, records
, DNSName("."), 300);
553 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
555 pair
.records
= recordContents
;
556 pair
.signatures
= signatureContents
;
557 denialMap
[std::make_pair(records
.at(0).d_name
, records
.at(0).d_type
)] = pair
;
559 denialState
= getDenial(denialMap
, DNSName("sub.a."), QType::A
, false, true);
560 BOOST_CHECK_EQUAL(denialState
, NODATA
);
563 BOOST_AUTO_TEST_CASE(test_nsec3_denial_too_many_iterations
)
568 generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
570 vector
<DNSRecord
> records
;
572 sortedRecords_t recordContents
;
573 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
575 /* adding a NSEC3 with more iterations that we support */
576 addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", {QType::AAAA
}, 600, records
, g_maxNSEC3Iterations
+ 100);
577 recordContents
.insert(records
.at(0).d_content
);
578 addRRSIG(keys
, records
, DNSName("."), 300);
579 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
582 pair
.records
= recordContents
;
583 pair
.signatures
= signatureContents
;
585 denialMap
[std::make_pair(records
.at(0).d_name
, records
.at(0).d_type
)] = pair
;
588 dState denialState
= getDenial(denialMap
, DNSName("a."), QType::A
, false, true);
589 /* since we refuse to compute more than g_maxNSEC3Iterations iterations, it should be Insecure */
590 BOOST_CHECK_EQUAL(denialState
, INSECURE
);
593 BOOST_AUTO_TEST_CASE(test_nsec3_insecure_delegation_denial
)
598 generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
600 vector
<DNSRecord
> records
;
602 sortedRecords_t recordContents
;
603 vector
<shared_ptr
<RRSIGRecordContent
>> signatureContents
;
606 * RFC 5155 section 8.9:
607 * If there is an NSEC3 RR present in the response that matches the
608 * delegation name, then the validator MUST ensure that the NS bit is
609 * set and that the DS bit is not set in the Type Bit Maps field of the
613 The RRSIG from "." denies the existence of any type at a.
614 NS should be set if it was proving an insecure delegation, let's check that
615 we correctly detect that it's not.
617 addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", {}, 600, records
);
618 recordContents
.insert(records
.at(0).d_content
);
619 addRRSIG(keys
, records
, DNSName("."), 300);
620 signatureContents
.push_back(getRR
<RRSIGRecordContent
>(records
.at(1)));
623 pair
.records
= recordContents
;
624 pair
.signatures
= signatureContents
;
626 denialMap
[std::make_pair(records
.at(0).d_name
, records
.at(0).d_type
)] = pair
;
629 /* Insecure because the NS is not set, so while it does
630 denies the DS, it can't prove an insecure delegation */
631 dState denialState
= getDenial(denialMap
, DNSName("a."), QType::DS
, true, true);
632 BOOST_CHECK_EQUAL(denialState
, NODATA
);
635 BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_negcache_validity
)
637 std::unique_ptr
<SyncRes
> sr
;
640 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
643 const DNSName
target("com.");
646 auto luaconfsCopy
= g_luaconfs
.getCopy();
647 luaconfsCopy
.dsAnchors
.clear();
648 generateKeyMaterial(g_rootdnsname
, DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
, luaconfsCopy
.dsAnchors
);
649 generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
650 g_luaconfs
.setState(luaconfsCopy
);
652 size_t queriesCount
= 0;
653 const time_t fixedNow
= sr
->getNow().tv_sec
;
655 sr
->setAsyncCallback([target
, &queriesCount
, keys
, fixedNow
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
658 DNSName auth
= domain
;
661 if (type
== QType::DS
|| type
== QType::DNSKEY
) {
662 return genericDSAndDNSKEYHandler(res
, domain
, auth
, type
, keys
);
665 setLWResult(res
, RCode::NoError
, true, false, true);
666 addRecordToLW(res
, domain
, QType::SOA
, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY
, 3600);
667 addRRSIG(keys
, res
->d_records
, domain
, 300);
668 addNSECRecordToLW(domain
, DNSName("z."), {QType::NSEC
, QType::RRSIG
}, 600, res
->d_records
);
669 addRRSIG(keys
, res
->d_records
, domain
, 1, false, boost::none
, boost::none
, fixedNow
);
676 vector
<DNSRecord
> ret
;
677 int res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
678 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
679 BOOST_CHECK_EQUAL(sr
->getValidationState(), Secure
);
680 BOOST_REQUIRE_EQUAL(ret
.size(), 4U);
681 BOOST_CHECK_EQUAL(queriesCount
, 4U);
683 /* check that the entry has not been negatively cached for longer than the RRSIG validity */
684 NegCache::NegCacheEntry ne
;
685 BOOST_CHECK_EQUAL(SyncRes::t_sstorage
.negcache
.size(), 1U);
686 BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage
.negcache
.get(target
, QType(QType::A
), sr
->getNow(), ne
), true);
687 BOOST_CHECK_EQUAL(ne
.d_ttd
, fixedNow
+ 1);
688 BOOST_CHECK_EQUAL(ne
.d_validationState
, Secure
);
689 BOOST_CHECK_EQUAL(ne
.authoritySOA
.records
.size(), 1U);
690 BOOST_CHECK_EQUAL(ne
.authoritySOA
.signatures
.size(), 1U);
691 BOOST_CHECK_EQUAL(ne
.DNSSECRecords
.records
.size(), 1U);
692 BOOST_CHECK_EQUAL(ne
.DNSSECRecords
.signatures
.size(), 1U);
694 /* again, to test the cache */
696 res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
697 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
698 BOOST_CHECK_EQUAL(sr
->getValidationState(), Secure
);
699 BOOST_REQUIRE_EQUAL(ret
.size(), 4U);
700 BOOST_CHECK_EQUAL(queriesCount
, 4U);
703 BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_negcache_bogus_validity
)
705 std::unique_ptr
<SyncRes
> sr
;
708 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
711 const DNSName
target("com.");
714 auto luaconfsCopy
= g_luaconfs
.getCopy();
715 luaconfsCopy
.dsAnchors
.clear();
716 generateKeyMaterial(g_rootdnsname
, DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
, luaconfsCopy
.dsAnchors
);
717 generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
718 g_luaconfs
.setState(luaconfsCopy
);
720 size_t queriesCount
= 0;
721 const time_t fixedNow
= sr
->getNow().tv_sec
;
723 sr
->setAsyncCallback([&queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
726 DNSName auth
= domain
;
729 if (type
== QType::DS
|| type
== QType::DNSKEY
) {
730 return genericDSAndDNSKEYHandler(res
, domain
, auth
, type
, keys
);
733 setLWResult(res
, RCode::NoError
, true, false, true);
734 addRecordToLW(res
, domain
, QType::SOA
, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY
, 86400);
735 addRRSIG(keys
, res
->d_records
, domain
, 86400);
736 addNSECRecordToLW(domain
, DNSName("z."), {QType::NSEC
, QType::RRSIG
}, 86400, res
->d_records
);
744 SyncRes::s_maxnegttl
= 3600;
745 SyncRes::s_maxbogusttl
= 360;
747 vector
<DNSRecord
> ret
;
748 int res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
749 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
750 BOOST_CHECK_EQUAL(sr
->getValidationState(), Bogus
);
751 BOOST_REQUIRE_EQUAL(ret
.size(), 3U);
752 BOOST_CHECK_EQUAL(queriesCount
, 4U);
754 /* check that the entry has been negatively cached but not longer than s_maxbogusttl */
755 NegCache::NegCacheEntry ne
;
756 BOOST_CHECK_EQUAL(SyncRes::t_sstorage
.negcache
.size(), 1U);
757 BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage
.negcache
.get(target
, QType(QType::A
), sr
->getNow(), ne
), true);
758 BOOST_CHECK_EQUAL(ne
.d_ttd
, fixedNow
+ SyncRes::s_maxbogusttl
);
759 BOOST_CHECK_EQUAL(ne
.d_validationState
, Bogus
);
760 BOOST_CHECK_EQUAL(ne
.authoritySOA
.records
.size(), 1U);
761 BOOST_CHECK_EQUAL(ne
.authoritySOA
.signatures
.size(), 1U);
762 BOOST_CHECK_EQUAL(ne
.DNSSECRecords
.records
.size(), 1U);
763 BOOST_CHECK_EQUAL(ne
.DNSSECRecords
.signatures
.size(), 0U);
765 /* again, to test the cache */
767 res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
768 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
769 BOOST_CHECK_EQUAL(sr
->getValidationState(), Bogus
);
770 BOOST_REQUIRE_EQUAL(ret
.size(), 3U);
771 BOOST_CHECK_EQUAL(queriesCount
, 4U);
774 BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_cache_validity
)
776 std::unique_ptr
<SyncRes
> sr
;
779 setDNSSECValidation(sr
, DNSSECMode::ValidateAll
);
782 const DNSName
target("com.");
783 const ComboAddress
targetAddr("192.0.2.42");
786 auto luaconfsCopy
= g_luaconfs
.getCopy();
787 luaconfsCopy
.dsAnchors
.clear();
788 generateKeyMaterial(g_rootdnsname
, DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
, luaconfsCopy
.dsAnchors
);
789 generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
);
790 g_luaconfs
.setState(luaconfsCopy
);
792 size_t queriesCount
= 0;
793 const time_t tnow
= sr
->getNow().tv_sec
;
795 sr
->setAsyncCallback([target
, targetAddr
, &queriesCount
, keys
, tnow
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
798 DNSName auth
= domain
;
801 if (type
== QType::DS
|| type
== QType::DNSKEY
) {
802 return genericDSAndDNSKEYHandler(res
, domain
, auth
, type
, keys
);
805 setLWResult(res
, RCode::NoError
, true, false, true);
806 addRecordToLW(res
, domain
, QType::A
, targetAddr
.toString(), DNSResourceRecord::ANSWER
, 3600);
807 addRRSIG(keys
, res
->d_records
, domain
, 1, false, boost::none
, boost::none
, tnow
);
814 vector
<DNSRecord
> ret
;
815 int res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
816 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
817 BOOST_CHECK_EQUAL(sr
->getValidationState(), Secure
);
818 BOOST_REQUIRE_EQUAL(ret
.size(), 2U);
819 BOOST_CHECK_EQUAL(queriesCount
, 4U);
821 /* check that the entry has not been cached for longer than the RRSIG validity */
822 const ComboAddress who
;
823 vector
<DNSRecord
> cached
;
824 vector
<std::shared_ptr
<RRSIGRecordContent
>> signatures
;
825 BOOST_REQUIRE_EQUAL(s_RC
->get(tnow
, target
, QType(QType::A
), true, &cached
, who
, boost::none
, &signatures
), 1);
826 BOOST_REQUIRE_EQUAL(cached
.size(), 1U);
827 BOOST_REQUIRE_EQUAL(signatures
.size(), 1U);
828 BOOST_CHECK_EQUAL((cached
[0].d_ttl
- tnow
), 1);
830 /* again, to test the cache */
832 res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
833 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
834 BOOST_CHECK_EQUAL(sr
->getValidationState(), Secure
);
835 BOOST_REQUIRE_EQUAL(ret
.size(), 2U);
836 BOOST_CHECK_EQUAL(queriesCount
, 4U);
839 BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_secure
)
842 Validation is optional, and the first query does not ask for it,
843 so the answer is cached as Indeterminate.
844 The second query asks for validation, answer should be marked as
845 Secure, after just-in-time validation.
847 std::unique_ptr
<SyncRes
> sr
;
850 setDNSSECValidation(sr
, DNSSECMode::Process
);
853 const DNSName
target("com.");
856 auto luaconfsCopy
= g_luaconfs
.getCopy();
857 luaconfsCopy
.dsAnchors
.clear();
858 generateKeyMaterial(g_rootdnsname
, DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
, luaconfsCopy
.dsAnchors
);
859 g_luaconfs
.setState(luaconfsCopy
);
861 size_t queriesCount
= 0;
863 sr
->setAsyncCallback([target
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
866 if (type
== QType::DS
|| type
== QType::DNSKEY
) {
867 return genericDSAndDNSKEYHandler(res
, domain
, domain
, type
, keys
, false);
870 if (domain
== target
&& type
== QType::A
) {
871 setLWResult(res
, 0, true, false, true);
872 addRecordToLW(res
, target
, QType::A
, "192.0.2.1");
873 addRRSIG(keys
, res
->d_records
, DNSName("."), 300);
881 vector
<DNSRecord
> ret
;
882 /* first query does not require validation */
883 sr
->setDNSSECValidationRequested(false);
884 int res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
885 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
886 BOOST_CHECK_EQUAL(sr
->getValidationState(), Indeterminate
);
887 BOOST_REQUIRE_EQUAL(ret
.size(), 2U);
888 for (const auto& record
: ret
) {
889 BOOST_CHECK(record
.d_type
== QType::A
|| record
.d_type
== QType::RRSIG
);
891 BOOST_CHECK_EQUAL(queriesCount
, 1U);
894 /* second one _does_ require validation */
895 sr
->setDNSSECValidationRequested(true);
896 res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
897 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
898 BOOST_CHECK_EQUAL(sr
->getValidationState(), Secure
);
899 BOOST_REQUIRE_EQUAL(ret
.size(), 2U);
900 for (const auto& record
: ret
) {
901 BOOST_CHECK(record
.d_type
== QType::A
|| record
.d_type
== QType::RRSIG
);
903 BOOST_CHECK_EQUAL(queriesCount
, 3U);
906 BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_insecure
)
909 Validation is optional, and the first query does not ask for it,
910 so the answer is cached as Indeterminate.
911 The second query asks for validation, answer should be marked as
914 std::unique_ptr
<SyncRes
> sr
;
917 setDNSSECValidation(sr
, DNSSECMode::Process
);
920 const DNSName
target("com.");
923 auto luaconfsCopy
= g_luaconfs
.getCopy();
924 luaconfsCopy
.dsAnchors
.clear();
925 g_luaconfs
.setState(luaconfsCopy
);
927 size_t queriesCount
= 0;
929 sr
->setAsyncCallback([target
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
932 if (type
== QType::DS
|| type
== QType::DNSKEY
) {
933 return genericDSAndDNSKEYHandler(res
, domain
, domain
, type
, keys
, false);
936 if (domain
== target
&& type
== QType::A
) {
937 setLWResult(res
, 0, true, false, true);
938 addRecordToLW(res
, target
, QType::A
, "192.0.2.1");
946 vector
<DNSRecord
> ret
;
947 /* first query does not require validation */
948 sr
->setDNSSECValidationRequested(false);
949 int res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
950 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
951 BOOST_CHECK_EQUAL(sr
->getValidationState(), Indeterminate
);
952 BOOST_REQUIRE_EQUAL(ret
.size(), 1U);
953 for (const auto& record
: ret
) {
954 BOOST_CHECK(record
.d_type
== QType::A
);
956 BOOST_CHECK_EQUAL(queriesCount
, 1U);
959 /* second one _does_ require validation */
960 sr
->setDNSSECValidationRequested(true);
961 res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
962 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
963 BOOST_CHECK_EQUAL(sr
->getValidationState(), Insecure
);
964 BOOST_REQUIRE_EQUAL(ret
.size(), 1U);
965 for (const auto& record
: ret
) {
966 BOOST_CHECK(record
.d_type
== QType::A
);
968 BOOST_CHECK_EQUAL(queriesCount
, 1U);
971 BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_bogus
)
974 Validation is optional, and the first query does not ask for it,
975 so the answer is cached as Indeterminate.
976 The second query asks for validation, answer should be marked as
979 std::unique_ptr
<SyncRes
> sr
;
982 setDNSSECValidation(sr
, DNSSECMode::Process
);
985 const DNSName
target("com.");
988 auto luaconfsCopy
= g_luaconfs
.getCopy();
989 luaconfsCopy
.dsAnchors
.clear();
990 generateKeyMaterial(g_rootdnsname
, DNSSECKeeper::ECDSA256
, DNSSECKeeper::DIGEST_SHA256
, keys
, luaconfsCopy
.dsAnchors
);
991 g_luaconfs
.setState(luaconfsCopy
);
993 size_t queriesCount
= 0;
995 sr
->setAsyncCallback([target
, &queriesCount
, keys
](const ComboAddress
& ip
, const DNSName
& domain
, int type
, bool doTCP
, bool sendRDQuery
, int EDNS0Level
, struct timeval
* now
, boost::optional
<Netmask
>& srcmask
, boost::optional
<const ResolveContext
&> context
, LWResult
* res
, bool* chained
) {
998 if (type
== QType::DS
|| type
== QType::DNSKEY
) {
999 return genericDSAndDNSKEYHandler(res
, domain
, domain
, type
, keys
, false);
1002 if (domain
== target
&& type
== QType::A
) {
1003 setLWResult(res
, 0, true, false, true);
1004 addRecordToLW(res
, target
, QType::A
, "192.0.2.1", DNSResourceRecord::ANSWER
, 86400);
1013 SyncRes::s_maxbogusttl
= 3600;
1015 vector
<DNSRecord
> ret
;
1016 /* first query does not require validation */
1017 sr
->setDNSSECValidationRequested(false);
1018 int res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
1019 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1020 BOOST_CHECK_EQUAL(sr
->getValidationState(), Indeterminate
);
1021 BOOST_REQUIRE_EQUAL(ret
.size(), 1U);
1022 for (const auto& record
: ret
) {
1023 BOOST_CHECK(record
.d_type
== QType::A
);
1024 BOOST_CHECK_EQUAL(record
.d_ttl
, 86400U);
1026 BOOST_CHECK_EQUAL(queriesCount
, 1U);
1029 /* second one _does_ require validation */
1030 sr
->setDNSSECValidationRequested(true);
1031 res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
1032 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1033 BOOST_CHECK_EQUAL(sr
->getValidationState(), Bogus
);
1034 /* check that we correctly capped the TTD for a Bogus record after
1035 just-in-time validation */
1036 BOOST_REQUIRE_EQUAL(ret
.size(), 1U);
1037 for (const auto& record
: ret
) {
1038 BOOST_CHECK(record
.d_type
== QType::A
);
1039 BOOST_CHECK_EQUAL(record
.d_ttl
, SyncRes::s_maxbogusttl
);
1041 BOOST_CHECK_EQUAL(queriesCount
, 3U);
1044 /* third time also _does_ require validation, so we
1045 can check that the cache has been updated */
1046 sr
->setDNSSECValidationRequested(true);
1047 res
= sr
->beginResolve(target
, QType(QType::A
), QClass::IN
, ret
);
1048 BOOST_CHECK_EQUAL(res
, RCode::NoError
);
1049 BOOST_CHECK_EQUAL(sr
->getValidationState(), Bogus
);
1050 BOOST_REQUIRE_EQUAL(ret
.size(), 1U);
1051 for (const auto& record
: ret
) {
1052 BOOST_CHECK(record
.d_type
== QType::A
);
1053 BOOST_CHECK_EQUAL(record
.d_ttl
, SyncRes::s_maxbogusttl
);
1055 BOOST_CHECK_EQUAL(queriesCount
, 3U);
1058 BOOST_AUTO_TEST_SUITE_END()