secure = 1;
break;
case sec_status_indeterminate:
+ EDNS_OPT_APPEND_EDE(edns, worker->scratchpad,
+ LDNS_EDE_DNSSEC_INDETERMINATE, "");
case sec_status_insecure:
default:
/* not secure */
return 0;
}
-
- // @TODO: Find out if it's local answer of blocked; if blocked then EDE: blocked
if(lzt == local_zone_redirect && local_data_answer(z, env, qinfo,
edns, repinfo, buf, temp, dname_count_labels(qinfo->qname),
&ld, lzt, -1, NULL, 0, NULL, 0)) {
return !qinfo->local_alias;
}
+ // @TODO: Find out if it's local answer or blocked; if blocked then EDE: blocked
+ // -> we do that in this function
ret = local_zones_zone_answer(z, env, qinfo, edns, repinfo, buf, temp,
0 /* no local data used */, lzt);
if(r->log)
local-zone: hopsa.kidee. always_refuse
local-data: "hopsa.kidee. TXT hela hola"
-rpz:
- name: rpz.nlnetlabs.nl
- zonefile: rpz.nlnetlabs.nl
\ No newline at end of file
+ local-zone: uva.nl. always_null
+
+ local-zone: example.com redirect
+ local-data: "example.com CNAME *.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa."
\ No newline at end of file
# DNAME expansion
+# @TODO do we have this?
-# RPZ
+# RPZ DNAME expansion too long
+dig @127.0.0.1 -p $UNBOUND_PORT www.qhqwer.qwer.qwer.h.example.com A > dname_expansion.txt
+if ! grep -q "OPT=15: 00 00 44 4e 41 4d 45 20 65 78 70 61 6e 73 69 6f 6e 20 62 65 63 61 6d 65 20 74 6f 6f 20 6c 61 72 67 65" dname_expansion.txt
+then
+ echo "No DNAME expansion for CNAME EDE message"
+ exit 1
+fi
+
+# RPZ always_null gets EDE forged
+dig @127.0.0.1 -p $UNBOUND_PORT uva.nl A > always_null_forged.txt
+
+if ! grep -q "OPT=15: 00 04" always_null_forged.txt
+then
+ echo "local-zone always_null must have EDE forged code"
+ exit 1
+fi
+
+# RPZ always_refuse
+dig @127.0.0.1 -p $UNBOUND_PORT hopsa.kidee. A > always_refuse_forged.txt
+
+if ! grep -q "OPT=15: 00 04" always_refuse_forged.txt
+then
+ echo "local-zone always_null must have EDE blocked code"
+ exit 1
+fi
+
+dig @localhost hopsa.kidee. A
# teardown
+++ /dev/null
-$ORIGIN rpz.nlnetlabs.nl.
-
-drop.example.com.rpz.nlnetlabs.nl. CNAME rpz-drop.
-32.34.216.184.93.rpz-ip.rpz.nlnetlabs.nl. A 192.0.2.1
\ No newline at end of file
projects / thirdparty / unbound.git / commitdiff
