regression-tests.recursor-dnssec/basicDNSSEC.py

   1 import dns
   2 from recursortests import RecursorTest
   3 import os
   4
   5 class BasicDNSSEC(RecursorTest):
   6     __test__ = False
   7     _config_template = """dnssec=validate"""
   8
   9     @classmethod
  10     def setUp(cls):
  11         confdir = os.path.join('configs', cls._confdir)
  12         cls.wipeRecursorCache(confdir)
  13
  14     @classmethod
  15     def sendQuery(self, name, rdtype):
  16         """Helper function that creates the query"""
  17         msg = dns.message.make_query(name, rdtype, want_dnssec=True)
  18         msg.flags |= dns.flags.AD
  19
  20         return self.sendUDPQuery(msg)
  21
  22     def testSecureAnswer(self):
  23         res = self.sendQuery('ns.secure.example.', 'A')
  24         expected = dns.rrset.from_text('ns.secure.example.', 0, dns.rdataclass.IN, 'A', '{prefix}.10'.format(prefix=self._PREFIX))
  25
  26         self.assertRcodeEqual(res, dns.rcode.NOERROR)
  27         self.assertMatchingRRSIGInAnswer(res, expected)
  28         self.assertMessageIsAuthenticated(res)
  29
  30     def testInsecureAnswer(self):
  31         res = self.sendQuery('node1.insecure.example.', 'A')
  32
  33         self.assertNoRRSIGsInAnswer(res)
  34         self.assertRcodeEqual(res, dns.rcode.NOERROR)
  35
  36     def testBogusAnswer(self):
  37         res = self.sendQuery('ted.bogus.example.', 'A')
  38
  39         self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
  40         self.assertAnswerEmpty(res)
  41
  42     def testSecureNXDOMAIN(self):
  43         res = self.sendQuery('nxdomain.secure.example.', 'A')
  44
  45         self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
  46
  47     def testInsecureNXDOMAIN(self):
  48         res = self.sendQuery('nxdomain.insecure.example.', 'A')
  49
  50         self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
  51
  52     def testBogusNXDOMAIN(self):
  53         res = self.sendQuery('nxdomain.bogus.example.', 'A')
  54
  55         self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
  56
  57     def testSecureOptoutAnswer(self):
  58         res = self.sendQuery('node1.secure.optout.example.', 'A')
  59         expected = dns.rrset.from_text('node1.secure.optout.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.8')
  60
  61         self.assertRcodeEqual(res, dns.rcode.NOERROR)
  62         self.assertMatchingRRSIGInAnswer(res, expected)
  63         self.assertMessageIsAuthenticated(res)
  64
  65     def testInsecureOptoutAnswer(self):
  66         res = self.sendQuery('node1.insecure.optout.example.', 'A')
  67
  68         self.assertRcodeEqual(res, dns.rcode.NOERROR)
  69         self.assertNoRRSIGsInAnswer(res)
  70
  71     def testSecureSubtreeInZoneAnswer(self):
  72         res = self.sendQuery('host1.sub.secure.example.', 'A')
  73         expected = dns.rrset.from_text('host1.sub.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.11')
  74
  75         self.assertRcodeEqual(res, dns.rcode.NOERROR)
  76         self.assertMatchingRRSIGInAnswer(res, expected)
  77         self.assertMessageIsAuthenticated(res)
  78
  79     def testSecureSubtreeInZoneNXDOMAIN(self):
  80         res = self.sendQuery('host2.sub.secure.example.', 'A')
  81
  82         self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
  83         self.assertMessageIsAuthenticated(res)
  84
  85     def testSecureWildcardAnswer(self):
  86         res = self.sendQuery('something.wildcard.secure.example.', 'A')
  87         expected = dns.rrset.from_text('something.wildcard.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.10')
  88
  89         self.assertRcodeEqual(res, dns.rcode.NOERROR)
  90         self.assertMatchingRRSIGInAnswer(res, expected)
  91         self.assertMessageIsAuthenticated(res)
  92
  93     def testSecureCNAMEWildCardAnswer(self):
  94         res = self.sendQuery('something.cnamewildcard.secure.example.', 'A')
  95         expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
  96         expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
  97
  98         self.assertRcodeEqual(res, dns.rcode.NOERROR)
  99         self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
 100         self.assertMatchingRRSIGInAnswer(res, expectedA)
 101         self.assertMessageIsAuthenticated(res)
 102
 103     def testSecureCNAMEWildCardNXDOMAIN(self):
 104         res = self.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A')
 105         expectedCNAME = dns.rrset.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'doesntexist.secure.example.')
 106
 107         self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
 108         self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
 109         self.assertMessageIsAuthenticated(res)
 110
 111     def testSecureNoData(self):
 112         res = self.sendQuery('host1.secure.example.', 'AAAA')
 113
 114         self.assertRcodeEqual(res, dns.rcode.NOERROR)
 115         self.assertAnswerEmpty(res)
 116         self.assertAuthorityHasSOA(res)
 117         self.assertMessageIsAuthenticated(res)
 118
 119     def testSecureCNAMENoData(self):
 120         res = self.sendQuery('cname.secure.example.', 'AAAA')
 121         expectedCNAME = dns.rrset.from_text('cname.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
 122
 123         self.assertRcodeEqual(res, dns.rcode.NOERROR)
 124         self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
 125         self.assertAuthorityHasSOA(res)
 126         self.assertMessageIsAuthenticated(res)
 127
 128     def testSecureWildCardNoData(self):
 129         res = self.sendQuery('something.cnamewildcard.secure.example.', 'AAAA')
 130         expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
 131
 132         self.assertRcodeEqual(res, dns.rcode.NOERROR)
 133         self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
 134         self.assertAuthorityHasSOA(res)
 135         self.assertMessageIsAuthenticated(res)
 136
 137     def testInsecureToSecureCNAMEAnswer(self):
 138         res = self.sendQuery('cname-to-secure.insecure.example.', 'A')
 139         expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
 140         expectedCNAME = dns.rrset.from_text('cname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
 141
 142         self.assertRcodeEqual(res, dns.rcode.NOERROR)
 143         self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
 144         self.assertRRsetInAnswer(res, expectedCNAME)
 145         self.assertMatchingRRSIGInAnswer(res, expectedA)
 146
 147     def testSecureToInsecureCNAMEAnswer(self):
 148         res = self.sendQuery('cname-to-insecure.secure.example.', 'A')
 149         expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
 150         expectedCNAME = dns.rrset.from_text('cname-to-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.secure.example.')
 151
 152         self.assertRcodeEqual(res, dns.rcode.NOERROR)
 153         self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
 154         self.assertRRsetInAnswer(res, expectedA)
 155         self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
 156