Add DNAME regression tests

diff --git a/regression-tests.recursor-dnssec/basicDNSSEC.py b/regression-tests.recursor-dnssec/basicDNSSEC.py
index e754dffa8488eb312ad6533b4cedc5669797b95f..aef9fc2a343630776e482b8fee289014da251bae 100644 (file)
--- a/regression-tests.recursor-dnssec/basicDNSSEC.py
+++ b/regression-tests.recursor-dnssec/basicDNSSEC.py
@@ -147,3 +147,128 @@ class BasicDNSSEC(RecursorTest):
         self.assertRRsetInAnswer(res, expectedA)
         self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
 
+    def testSecureDNAMEToSecureAnswer(self):
+        res = self.sendQuery('host1.dname-secure.secure.example.', 'A')
+        expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+        expectedCNAME = dns.rrset.from_text('host1.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.')
+        expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21')
+
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedA)
+        self.assertRRsetInAnswer(res, expectedCNAME)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedA)
+
+    def testSecureDNAMEToSecureNXDomain(self):
+        res = self.sendQuery('nxd.dname-secure.secure.example.', 'A')
+        expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+        expectedCNAME = dns.rrset.from_text('nxd.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.')
+
+        self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedCNAME)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+    def testSecureDNAMEToInsecureAnswer(self):
+        res = self.sendQuery('node1.dname-insecure.secure.example.', 'A')
+        expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.')
+        expectedCNAME = dns.rrset.from_text('node1.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.')
+        expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
+
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedA)
+        self.assertRRsetInAnswer(res, expectedCNAME)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+    def testSecureDNAMEToInsecureNXDomain(self):
+        res = self.sendQuery('nxd.dname-insecure.secure.example.', 'A')
+        expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.')
+        expectedCNAME = dns.rrset.from_text('nxd.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.insecure.example.')
+
+        self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedCNAME)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+    def testSecureDNAMEToBogusAnswer(self):
+        res = self.sendQuery('ted.dname-bogus.secure.example.', 'A')
+
+        self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
+        self.assertAnswerEmpty(res)
+
+    def testSecureDNAMEToBogusNXDomain(self):
+        res = self.sendQuery('nxd.dname-bogus.secure.example.', 'A')
+
+        self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
+        self.assertAnswerEmpty(res)
+
+    def testInsecureDNAMEtoSecureAnswer(self):
+        res = self.sendQuery('host1.dname-to-secure.insecure.example.', 'A')
+        expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+        expectedCNAME = dns.rrset.from_text('host1.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.')
+        expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21')
+
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedA)
+        self.assertRRsetInAnswer(res, expectedCNAME)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedA)
+
+    def testSecureDNAMEToSecureCNAMEAnswer(self):
+        res = self.sendQuery('cname-to-secure.dname-secure.secure.example.', 'A')
+
+        expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+        expectedCNAME1 = dns.rrset.from_text('cname-to-secure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-secure.dname-secure.example.')
+        expectedCNAME2 = dns.rrset.from_text('cname-to-secure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
+        expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
+
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedA)
+        self.assertRRsetInAnswer(res, expectedCNAME1)
+        self.assertRRsetInAnswer(res, expectedCNAME2)
+        self.assertMatchingRRSIGInAnswer(res, expectedCNAME2)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedA)
+
+    def testSecureDNAMEToInsecureCNAMEAnswer(self):
+        res = self.sendQuery('cname-to-insecure.dname-secure.secure.example.', 'A')
+
+        expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+        expectedCNAME1 = dns.rrset.from_text('cname-to-insecure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-insecure.dname-secure.example.')
+        expectedCNAME2 = dns.rrset.from_text('cname-to-insecure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.')
+        expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
+
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedA)
+        self.assertRRsetInAnswer(res, expectedCNAME1)
+        self.assertRRsetInAnswer(res, expectedCNAME2)
+        self.assertMatchingRRSIGInAnswer(res, expectedCNAME2)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+    def testSecureDNAMEToBogusCNAMEAnswer(self):
+        res = self.sendQuery('cname-to-bogus.dname-secure.secure.example.', 'A')
+
+        self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
+        self.assertAnswerEmpty(res)
+
+    def testInsecureDNAMEtoSecureNXDomain(self):
+        res = self.sendQuery('nxd.dname-to-secure.insecure.example.', 'A')
+        expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+        expectedCNAME = dns.rrset.from_text('nxd.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.')
+
+        self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedCNAME)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)

diff --git a/regression-tests.recursor-dnssec/recursortests.py b/regression-tests.recursor-dnssec/recursortests.py
index 46ca97c4677ba9b3d873d324d4f184d0f8e29f1d..cfbd87bad4a6c035e399f42404e9363d3a920434 100644 (file)
--- a/regression-tests.recursor-dnssec/recursortests.py
+++ b/regression-tests.recursor-dnssec/recursortests.py
@@ -85,6 +85,10 @@ cname-secure.example.    3600 IN NS   ns.cname-secure.example.
 cname-secure.example.    3600 IN DS   49148 13 1 a10314452d5ec4d97fcc6d7e275d217261fe790f
 ns.cname-secure.example. 3600 IN A    {prefix}.15
 
+dname-secure.example. 3600 IN NS ns.dname-secure.example.
+dname-secure.example. 3600 IN DS 42043 13 2 11c67f46b7c4d5968bc5f6cc944d58377b762bda53ddb4f3a6dbe6faf7a9940f
+ns.dname-secure.example. 3600 IN A {prefix}.13
+
 bogus.example.           3600 IN NS   ns.bogus.example.
 bogus.example.           3600 IN DS   65034 13 1 6df3bb50ea538e90eacdd7ae5419730783abb0ee
 ns.bogus.example.        3600 IN A    {prefix}.12
@@ -137,7 +141,22 @@ insecure.sub2.secure.example. 3600 IN NS ns1.insecure.example.
 *.cnamewildcardnxdomain.secure.example. 3600 IN CNAME doesntexist.secure.example.
 
 cname-to-formerr.secure.example. 3600 IN CNAME host1.insecure-formerr.example.
+
+dname-secure.secure.example. 3600 IN DNAME dname-secure.example.
+dname-insecure.secure.example. 3600 IN DNAME insecure.example.
+dname-bogus.secure.example. 3600 IN DNAME bogus.example.
         """,
+        'dname-secure.example': """
+dname-secure.example. 3600 IN SOA {soa}
+dname-secure.example. 3600 IN NS ns.dname-secure.example.
+ns.dname-secure.example. 3600 IN A {prefix}.13
+
+host1.dname-secure.example. IN A 192.0.2.21
+
+cname-to-secure.dname-secure.example. 3600 IN CNAME host1.secure.example.
+cname-to-insecure.dname-secure.example. 3600 IN CNAME node1.insecure.example.
+cname-to-bogus.dname-secure.example.    3600 IN CNAME ted.bogus.example.
+""",
         'cname-secure.example': """
 cname-secure.example.          3600 IN SOA   {soa}
 cname-secure.example.          3600 IN NS    ns.cname-secure.example.
@@ -165,6 +184,8 @@ ns1.insecure.example.    3600 IN A    {prefix}.13
 node1.insecure.example.  3600 IN A    192.0.2.6
 
 cname-to-secure.insecure.example. 3600 IN CNAME host1.secure.example.
+
+dname-to-secure.insecure.example. 3600 IN DNAME dname-secure.example.
         """,
         'optout.example': """
 optout.example.        3600 IN SOA  {soa}
@@ -262,6 +283,12 @@ PrivateKey: o9F5iix8V68tnMcuOaM2Lt8XXhIIY//SgHIHEePk6cM=
 Private-key-format: v1.2
 Algorithm: 13 (ECDSAP256SHA256)
 PrivateKey: kvoV/g4IO/tefSro+FLJ5UC7H3BUf0IUtZQSUOfQGyA=
+""",
+
+        'dname-secure.example': """
+Private-key-format: v1.2
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: Ep9uo6+wwjb4MaOmqq7LHav2FLrjotVOeZg8JT1Qk04=
 """
     }
 
@@ -274,7 +301,7 @@ PrivateKey: kvoV/g4IO/tefSro+FLJ5UC7H3BUf0IUtZQSUOfQGyA=
         '10': ['example'],
         '11': ['example'],
         '12': ['bogus.example', 'undelegated.secure.example', 'undelegated.insecure.example'],
-        '13': ['insecure.example', 'insecure.sub2.secure.example'],
+        '13': ['insecure.example', 'insecure.sub2.secure.example', 'dname-secure.example'],
         '14': ['optout.example'],
         '15': ['insecure.optout.example', 'secure.optout.example', 'cname-secure.example']
     }
@@ -333,6 +360,7 @@ query-cache-ttl=0
 log-dns-queries=yes
 log-dns-details=yes
 loglevel=9
+dname-processing=yes
 distributor-threads=1""".format(confdir=confdir,
                                 bind_dnssec_db=bind_dnssec_db))