LOG(d_prefix<<": got initial zone status "<<initialState<<" for record "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl);
if (initialState == vState::Secure) {
- if (i->first.type == QType::DNSKEY && i->first.place == DNSResourceRecord::ANSWER) {
+ if (i->first.type == QType::DNSKEY && i->first.place == DNSResourceRecord::ANSWER && i->first.name == getSigner(i->second.signatures)) {
LOG(d_prefix<<"Validating DNSKEY for "<<i->first.name<<endl);
recordState = validateDNSKeys(i->first.name, i->second.records, i->second.signatures, depth);
}
dname-secure.secure.example. 3600 IN DNAME dname-secure.example.
dname-insecure.secure.example. 3600 IN DNAME insecure.example.
dname-bogus.secure.example. 3600 IN DNAME bogus.example.
+
+non-apex-dnskey.secure.example. 3600 IN DNSKEY 257 3 13 CT6AJ4MEOtNDgj0+xLtTLGHf1WbLsKWZI8ONHOt/6q7hTjeWSnY/SGig1dIKZrHg+pJFUSPaxeShv48SYVRKEg==
""",
'dname-secure.example': """
dname-secure.example. 3600 IN SOA {soa}
self.assertRcodeEqual(res, dns.rcode.NOERROR)
self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], [])
+
+ def testNonApexDNSKEY(self):
+ """
+ a DNSKEY not at the apex of a zone should not be treated as a DNSKEY in validation
+ """
+ query = dns.message.make_query('non-apex-dnskey.secure.example.', 'DNSKEY')
+ query.flags |= dns.flags.AD
+
+ res = self.sendUDPQuery(query)
+ print(res)
+ expectedDNSKEY = dns.rrset.from_text('non-apex-dnskey.secure.example.', 0, dns.rdataclass.IN, 'DNSKEY', '257 3 13 CT6AJ4MEOtNDgj0+xLtTLGHf1WbLsKWZI8ONHOt/6q7hTjeWSnY/SGig1dIKZrHg+pJFUSPaxeShv48SYVRKEg==')
+
+ self.assertRRsetInAnswer(res, expectedDNSKEY)
+ self.assertRcodeEqual(res, dns.rcode.NOERROR)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], [])
+
+
@classmethod
def startResponders(cls):
print("Launching responders..")
projects / thirdparty / pdns.git / commitdiff
