]> git.ipfire.org Git - thirdparty/pdns.git/blob - regression-tests.recursor-dnssec/basicDNSSEC.py
projects / thirdparty / pdns.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
DNAME: fix regression test
[thirdparty/pdns.git] / regression-tests.recursor-dnssec / basicDNSSEC.py
1 import dns
2 from recursortests import RecursorTest
3 import os
4
5 class BasicDNSSEC(RecursorTest):
6 __test__ = False
7 _config_template = """dnssec=validate"""
8
9 @classmethod
10 def setUp(cls):
11 confdir = os.path.join('configs', cls._confdir)
12 cls.wipeRecursorCache(confdir)
13
14 def testSecureAnswer(self):
15 res = self.sendQuery('ns.secure.example.', 'A')
16 expected = dns.rrset.from_text('ns.secure.example.', 0, dns.rdataclass.IN, 'A', '{prefix}.10'.format(prefix=self._PREFIX))
17
18 self.assertRcodeEqual(res, dns.rcode.NOERROR)
19 self.assertMatchingRRSIGInAnswer(res, expected)
20 self.assertMessageIsAuthenticated(res)
21
22 def testInsecureAnswer(self):
23 res = self.sendQuery('node1.insecure.example.', 'A')
24
25 self.assertNoRRSIGsInAnswer(res)
26 self.assertRcodeEqual(res, dns.rcode.NOERROR)
27
28 def testBogusAnswer(self):
29 res = self.sendQuery('ted.bogus.example.', 'A')
30
31 self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
32 self.assertAnswerEmpty(res)
33
34 def testSecureNXDOMAIN(self):
35 res = self.sendQuery('nxdomain.secure.example.', 'A')
36
37 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
38
39 def testInsecureNXDOMAIN(self):
40 res = self.sendQuery('nxdomain.insecure.example.', 'A')
41
42 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
43
44 def testBogusNXDOMAIN(self):
45 res = self.sendQuery('nxdomain.bogus.example.', 'A')
46
47 self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
48
49 def testSecureOptoutAnswer(self):
50 res = self.sendQuery('node1.secure.optout.example.', 'A')
51 expected = dns.rrset.from_text('node1.secure.optout.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.8')
52
53 self.assertRcodeEqual(res, dns.rcode.NOERROR)
54 self.assertMatchingRRSIGInAnswer(res, expected)
55 self.assertMessageIsAuthenticated(res)
56
57 def testInsecureOptoutAnswer(self):
58 res = self.sendQuery('node1.insecure.optout.example.', 'A')
59
60 self.assertRcodeEqual(res, dns.rcode.NOERROR)
61 self.assertNoRRSIGsInAnswer(res)
62
63 def testSecureSubtreeInZoneAnswer(self):
64 res = self.sendQuery('host1.sub.secure.example.', 'A')
65 expected = dns.rrset.from_text('host1.sub.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.11')
66
67 self.assertRcodeEqual(res, dns.rcode.NOERROR)
68 self.assertMatchingRRSIGInAnswer(res, expected)
69 self.assertMessageIsAuthenticated(res)
70
71 def testSecureSubtreeInZoneNXDOMAIN(self):
72 res = self.sendQuery('host2.sub.secure.example.', 'A')
73
74 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
75 self.assertMessageIsAuthenticated(res)
76
77 def testSecureWildcardAnswer(self):
78 res = self.sendQuery('something.wildcard.secure.example.', 'A')
79 expected = dns.rrset.from_text('something.wildcard.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.10')
80
81 self.assertRcodeEqual(res, dns.rcode.NOERROR)
82 self.assertMatchingRRSIGInAnswer(res, expected)
83 self.assertMessageIsAuthenticated(res)
84
85 def testSecureCNAMEWildCardAnswer(self):
86 res = self.sendQuery('something.cnamewildcard.secure.example.', 'A')
87 expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
88 expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
89
90 self.assertRcodeEqual(res, dns.rcode.NOERROR)
91 self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
92 self.assertMatchingRRSIGInAnswer(res, expectedA)
93 self.assertMessageIsAuthenticated(res)
94
95 def testSecureCNAMEWildCardNXDOMAIN(self):
96 # the answer to this query reaches the UDP truncation threshold, so let's use TCP
97 res = self.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A', useTCP=True)
98 expectedCNAME = dns.rrset.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'doesntexist.secure.example.')
99
100 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
101 self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
102 self.assertMessageIsAuthenticated(res)
103
104 def testSecureNoData(self):
105 res = self.sendQuery('host1.secure.example.', 'AAAA')
106
107 self.assertRcodeEqual(res, dns.rcode.NOERROR)
108 self.assertAnswerEmpty(res)
109 self.assertAuthorityHasSOA(res)
110 self.assertMessageIsAuthenticated(res)
111
112 def testSecureCNAMENoData(self):
113 res = self.sendQuery('cname.secure.example.', 'AAAA')
114 expectedCNAME = dns.rrset.from_text('cname.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
115
116 self.assertRcodeEqual(res, dns.rcode.NOERROR)
117 self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
118 self.assertAuthorityHasSOA(res)
119 self.assertMessageIsAuthenticated(res)
120
121 def testSecureWildCardNoData(self):
122 res = self.sendQuery('something.cnamewildcard.secure.example.', 'AAAA')
123 expectedCNAME = dns.rrset.from_text('something.cnamewildcard.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
124
125 self.assertRcodeEqual(res, dns.rcode.NOERROR)
126 self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
127 self.assertAuthorityHasSOA(res)
128 self.assertMessageIsAuthenticated(res)
129
130 def testInsecureToSecureCNAMEAnswer(self):
131 res = self.sendQuery('cname-to-secure.insecure.example.', 'A')
132 expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
133 expectedCNAME = dns.rrset.from_text('cname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
134
135 self.assertRcodeEqual(res, dns.rcode.NOERROR)
136 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
137 self.assertRRsetInAnswer(res, expectedCNAME)
138 self.assertMatchingRRSIGInAnswer(res, expectedA)
139
140 def testSecureToInsecureCNAMEAnswer(self):
141 res = self.sendQuery('cname-to-insecure.secure.example.', 'A')
142 expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
143 expectedCNAME = dns.rrset.from_text('cname-to-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.secure.example.')
144
145 self.assertRcodeEqual(res, dns.rcode.NOERROR)
146 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
147 self.assertRRsetInAnswer(res, expectedA)
148 self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
149
150 def testSecureDNAMEToSecureAnswer(self):
151 res = self.sendQuery('host1.dname-secure.secure.example.', 'A')
152 expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
153 expectedCNAME = dns.rrset.from_text('host1.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.')
154 expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21')
155
156 self.assertRcodeEqual(res, dns.rcode.NOERROR)
157 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
158 self.assertRRsetInAnswer(res, expectedA)
159 self.assertRRsetInAnswer(res, expectedCNAME)
160 self.assertRRsetInAnswer(res, expectedDNAME)
161 self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
162 self.assertMatchingRRSIGInAnswer(res, expectedA)
163
164 def testSecureDNAMEToSecureNXDomain(self):
165 res = self.sendQuery('nxd.dname-secure.secure.example.', 'A')
166 expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
167 expectedCNAME = dns.rrset.from_text('nxd.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.')
168
169 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
170 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
171 self.assertRRsetInAnswer(res, expectedCNAME)
172 self.assertRRsetInAnswer(res, expectedDNAME)
173 self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
174
175 def testSecureDNAMEToInsecureAnswer(self):
176 res = self.sendQuery('node1.dname-insecure.secure.example.', 'A')
177 expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.')
178 expectedCNAME = dns.rrset.from_text('node1.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.')
179 expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
180
181 self.assertRcodeEqual(res, dns.rcode.NOERROR)
182 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
183 self.assertRRsetInAnswer(res, expectedA)
184 self.assertRRsetInAnswer(res, expectedCNAME)
185 self.assertRRsetInAnswer(res, expectedDNAME)
186 self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
187
188 def testSecureDNAMEToInsecureNXDomain(self):
189 res = self.sendQuery('nxd.dname-insecure.secure.example.', 'A')
190 expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.')
191 expectedCNAME = dns.rrset.from_text('nxd.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.insecure.example.')
192
193 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
194 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
195 self.assertRRsetInAnswer(res, expectedCNAME)
196 self.assertRRsetInAnswer(res, expectedDNAME)
197 self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
198
199 def testSecureDNAMEToBogusAnswer(self):
200 res = self.sendQuery('ted.dname-bogus.secure.example.', 'A')
201
202 self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
203 self.assertAnswerEmpty(res)
204
205 def testSecureDNAMEToBogusNXDomain(self):
206 res = self.sendQuery('nxd.dname-bogus.secure.example.', 'A')
207
208 self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
209 self.assertAnswerEmpty(res)
210
211 def testInsecureDNAMEtoSecureAnswer(self):
212 res = self.sendQuery('host1.dname-to-secure.insecure.example.', 'A')
213 expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
214 expectedCNAME = dns.rrset.from_text('host1.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.')
215 expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21')
216
217 self.assertRcodeEqual(res, dns.rcode.NOERROR)
218 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
219 self.assertRRsetInAnswer(res, expectedA)
220 self.assertRRsetInAnswer(res, expectedCNAME)
221 self.assertRRsetInAnswer(res, expectedDNAME)
222 self.assertMatchingRRSIGInAnswer(res, expectedA)
223
224 def testSecureDNAMEToSecureCNAMEAnswer(self):
225 res = self.sendQuery('cname-to-secure.dname-secure.secure.example.', 'A')
226
227 expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
228 expectedCNAME1 = dns.rrset.from_text('cname-to-secure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-secure.dname-secure.example.')
229 expectedCNAME2 = dns.rrset.from_text('cname-to-secure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
230 expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
231
232 self.assertRcodeEqual(res, dns.rcode.NOERROR)
233 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
234 self.assertRRsetInAnswer(res, expectedA)
235 self.assertRRsetInAnswer(res, expectedCNAME1)
236 self.assertRRsetInAnswer(res, expectedCNAME2)
237 self.assertMatchingRRSIGInAnswer(res, expectedCNAME2)
238 self.assertRRsetInAnswer(res, expectedDNAME)
239 self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
240 self.assertMatchingRRSIGInAnswer(res, expectedA)
241
242 def testSecureDNAMEToInsecureCNAMEAnswer(self):
243 res = self.sendQuery('cname-to-insecure.dname-secure.secure.example.', 'A')
244
245 expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
246 expectedCNAME1 = dns.rrset.from_text('cname-to-insecure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-insecure.dname-secure.example.')
247 expectedCNAME2 = dns.rrset.from_text('cname-to-insecure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.')
248 expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
249
250 self.assertRcodeEqual(res, dns.rcode.NOERROR)
251 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
252 self.assertRRsetInAnswer(res, expectedA)
253 self.assertRRsetInAnswer(res, expectedCNAME1)
254 self.assertRRsetInAnswer(res, expectedCNAME2)
255 self.assertMatchingRRSIGInAnswer(res, expectedCNAME2)
256 self.assertRRsetInAnswer(res, expectedDNAME)
257 self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
258
259 def testSecureDNAMEToBogusCNAMEAnswer(self):
260 res = self.sendQuery('cname-to-bogus.dname-secure.secure.example.', 'A')
261
262 self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
263 self.assertAnswerEmpty(res)
264
265 def testInsecureDNAMEtoSecureNXDomain(self):
266 res = self.sendQuery('nxd.dname-to-secure.insecure.example.', 'A')
267 expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
268 expectedCNAME = dns.rrset.from_text('nxd.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.')
269
270 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
271 self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
272 self.assertRRsetInAnswer(res, expectedCNAME)
273 self.assertRRsetInAnswer(res, expectedDNAME)
Unnamed repository; edit this file 'description' to name the repository.