self.assertRRsetInAnswer(res, expectedA)
self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
+ def testSecureDNAMEToSecureAnswer(self):
+ res = self.sendQuery('host1.dname-secure.secure.example.', 'A')
+ expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+ expectedCNAME = dns.rrset.from_text('host1.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.')
+ expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21')
+
+ self.assertRcodeEqual(res, dns.rcode.NOERROR)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedA)
+ self.assertRRsetInAnswer(res, expectedCNAME)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedA)
+
+ def testSecureDNAMEToSecureNXDomain(self):
+ res = self.sendQuery('nxd.dname-secure.secure.example.', 'A')
+ expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+ expectedCNAME = dns.rrset.from_text('nxd.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.')
+
+ self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedCNAME)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+ def testSecureDNAMEToInsecureAnswer(self):
+ res = self.sendQuery('node1.dname-insecure.secure.example.', 'A')
+ expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.')
+ expectedCNAME = dns.rrset.from_text('node1.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.')
+ expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
+
+ self.assertRcodeEqual(res, dns.rcode.NOERROR)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedA)
+ self.assertRRsetInAnswer(res, expectedCNAME)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+ def testSecureDNAMEToInsecureNXDomain(self):
+ res = self.sendQuery('nxd.dname-insecure.secure.example.', 'A')
+ expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.')
+ expectedCNAME = dns.rrset.from_text('nxd.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.insecure.example.')
+
+ self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedCNAME)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+ def testSecureDNAMEToBogusAnswer(self):
+ res = self.sendQuery('ted.dname-bogus.secure.example.', 'A')
+
+ self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
+ self.assertAnswerEmpty(res)
+
+ def testSecureDNAMEToBogusNXDomain(self):
+ res = self.sendQuery('nxd.dname-bogus.secure.example.', 'A')
+
+ self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
+ self.assertAnswerEmpty(res)
+
+ def testInsecureDNAMEtoSecureAnswer(self):
+ res = self.sendQuery('host1.dname-to-secure.insecure.example.', 'A')
+ expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+ expectedCNAME = dns.rrset.from_text('host1.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.')
+ expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21')
+
+ self.assertRcodeEqual(res, dns.rcode.NOERROR)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedA)
+ self.assertRRsetInAnswer(res, expectedCNAME)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedA)
+
+ def testSecureDNAMEToSecureCNAMEAnswer(self):
+ res = self.sendQuery('cname-to-secure.dname-secure.secure.example.', 'A')
+
+ expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+ expectedCNAME1 = dns.rrset.from_text('cname-to-secure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-secure.dname-secure.example.')
+ expectedCNAME2 = dns.rrset.from_text('cname-to-secure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
+ expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
+
+ self.assertRcodeEqual(res, dns.rcode.NOERROR)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedA)
+ self.assertRRsetInAnswer(res, expectedCNAME1)
+ self.assertRRsetInAnswer(res, expectedCNAME2)
+ self.assertMatchingRRSIGInAnswer(res, expectedCNAME2)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedA)
+
+ def testSecureDNAMEToInsecureCNAMEAnswer(self):
+ res = self.sendQuery('cname-to-insecure.dname-secure.secure.example.', 'A')
+
+ expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+ expectedCNAME1 = dns.rrset.from_text('cname-to-insecure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-insecure.dname-secure.example.')
+ expectedCNAME2 = dns.rrset.from_text('cname-to-insecure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.')
+ expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
+
+ self.assertRcodeEqual(res, dns.rcode.NOERROR)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedA)
+ self.assertRRsetInAnswer(res, expectedCNAME1)
+ self.assertRRsetInAnswer(res, expectedCNAME2)
+ self.assertMatchingRRSIGInAnswer(res, expectedCNAME2)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+ def testSecureDNAMEToBogusCNAMEAnswer(self):
+ res = self.sendQuery('cname-to-bogus.dname-secure.secure.example.', 'A')
+
+ self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
+ self.assertAnswerEmpty(res)
+
+ def testInsecureDNAMEtoSecureNXDomain(self):
+ res = self.sendQuery('nxd.dname-to-secure.insecure.example.', 'A')
+ expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+ expectedCNAME = dns.rrset.from_text('nxd.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.')
+
+ self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedCNAME)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
cname-secure.example. 3600 IN DS 49148 13 1 a10314452d5ec4d97fcc6d7e275d217261fe790f
ns.cname-secure.example. 3600 IN A {prefix}.15
+dname-secure.example. 3600 IN NS ns.dname-secure.example.
+dname-secure.example. 3600 IN DS 42043 13 2 11c67f46b7c4d5968bc5f6cc944d58377b762bda53ddb4f3a6dbe6faf7a9940f
+ns.dname-secure.example. 3600 IN A {prefix}.13
+
bogus.example. 3600 IN NS ns.bogus.example.
bogus.example. 3600 IN DS 65034 13 1 6df3bb50ea538e90eacdd7ae5419730783abb0ee
ns.bogus.example. 3600 IN A {prefix}.12
*.cnamewildcardnxdomain.secure.example. 3600 IN CNAME doesntexist.secure.example.
cname-to-formerr.secure.example. 3600 IN CNAME host1.insecure-formerr.example.
+
+dname-secure.secure.example. 3600 IN DNAME dname-secure.example.
+dname-insecure.secure.example. 3600 IN DNAME insecure.example.
+dname-bogus.secure.example. 3600 IN DNAME bogus.example.
""",
+ 'dname-secure.example': """
+dname-secure.example. 3600 IN SOA {soa}
+dname-secure.example. 3600 IN NS ns.dname-secure.example.
+ns.dname-secure.example. 3600 IN A {prefix}.13
+
+host1.dname-secure.example. IN A 192.0.2.21
+
+cname-to-secure.dname-secure.example. 3600 IN CNAME host1.secure.example.
+cname-to-insecure.dname-secure.example. 3600 IN CNAME node1.insecure.example.
+cname-to-bogus.dname-secure.example. 3600 IN CNAME ted.bogus.example.
+""",
'cname-secure.example': """
cname-secure.example. 3600 IN SOA {soa}
cname-secure.example. 3600 IN NS ns.cname-secure.example.
node1.insecure.example. 3600 IN A 192.0.2.6
cname-to-secure.insecure.example. 3600 IN CNAME host1.secure.example.
+
+dname-to-secure.insecure.example. 3600 IN DNAME dname-secure.example.
""",
'optout.example': """
optout.example. 3600 IN SOA {soa}
Private-key-format: v1.2
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: kvoV/g4IO/tefSro+FLJ5UC7H3BUf0IUtZQSUOfQGyA=
+""",
+
+ 'dname-secure.example': """
+Private-key-format: v1.2
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: Ep9uo6+wwjb4MaOmqq7LHav2FLrjotVOeZg8JT1Qk04=
"""
}
'10': ['example'],
'11': ['example'],
'12': ['bogus.example', 'undelegated.secure.example', 'undelegated.insecure.example'],
- '13': ['insecure.example', 'insecure.sub2.secure.example'],
+ '13': ['insecure.example', 'insecure.sub2.secure.example', 'dname-secure.example'],
'14': ['optout.example'],
'15': ['insecure.optout.example', 'secure.optout.example', 'cname-secure.example']
}
log-dns-queries=yes
log-dns-details=yes
loglevel=9
+dname-processing=yes
distributor-threads=1""".format(confdir=confdir,
bind_dnssec_db=bind_dnssec_db))