--- /dev/null
+rm -f K* piece1 base expired notyetincepted trust-anchors dnssec-failures.zone.signed
\ No newline at end of file
--- /dev/null
+$ORIGIN dnssec-failures.test.
+
+@ SOA ns hostmaster (
+ 1 ; serial
+ 14400 ; refresh (4 hours)
+ 1800 ; retry (30 minutes)
+ 2419200 ; expire (4 weeks)
+ 300 ; minimum (5 minutes)
+)
+ NS ns
+ns A 192.0.2.1
+notyetincepted TXT "Not yet incepted"
+expired TXT "Expired"
+sigsinvalid TXT "Signatures invalid"
+missingrrsigs TXT "Signatures missing"
\ No newline at end of file
--- /dev/null
+#!/usr/bin/env bash
+
+CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnssec-failures.test`
+echo $CSK
+
+echo ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" | \
+ cat $CSK.ds - > trust-anchors
+
+ONEMONTHAGO=`date -d 'now - 1 month' +%Y%m%d`
+YESTERDAY=`date -d 'now - 2 days' +%Y%m%d`
+TOMORROW=`date -d 'now + 2 days' +%Y%m%d`
+ldns-signzone -i $YESTERDAY dnssec-failures.test $CSK -f - | \
+ grep -v '^missingrrsigs\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
+ sed 's/Signatures invalid/Signatures INVALID/g' | \
+ grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' | \
+ grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
+ grep -v '^expired\.dnssec-failures\.test\..*IN.*TXT' | \
+ grep -v '^expired\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' > base
+ldns-signzone -i $ONEMONTHAGO -e $YESTERDAY dnssec-failures.test $CSK -f - | \
+ grep -v '[ ]NSEC[ ]' | \
+ grep '^expired\.dnssec-failures\.test\..*IN.*TXT' > expired
+ldns-signzone -i $TOMORROW dnssec-failures.test $CSK -f - | \
+ grep -v '[ ]NSEC[ ]' | \
+ grep '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' > notyetincepted
+cat base expired notyetincepted > dnssec-failures.test.signed && rm -f base expired notyetincepted $CSK.*
--- /dev/null
+server:
+ verbosity: 1
+ use-syslog: no
+ chroot: ""
+ username: ""
+ directory: ""
+ local-zone: test nodefault
+ port: 53535
+
+auth-zone:
+ name: "dnssec-failures.test"
+ zonefile: "testdata/ede.tdir/bogus/dnssec-failures.test.signed"
\ No newline at end of file
pidfile: "unbound.pid"
chroot: ""
username: ""
+ directory: ""
# @TODO change this to local file
- auto-trust-anchor-file: "/var/lib/unbound/root.key"
+ #auto-trust-anchor-file: "/var/lib/unbound/root.key"
+ trust-anchor-file: "testdata/ede.tdir/bogus/trust-anchors"
module-config: "respip validator iterator"
localzone: nlnetlabs.nl transparant
local-data: "hopsa.nlnetlabs.nl. TXT hela hola"
- local-zone: uva.nl. always_null
+ local-zone: uva.nl. always_null
local-zone: example.com redirect
- local-data: "example.com CNAME *.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa."
\ No newline at end of file
+ local-data: "example.com CNAME *.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa."
+
+ local-zone: test nodefault
+ do-not-query-localhost: no
+
+forward-zone:
+ name: "dnssec-failures.test"
+ forward-addr: 127.0.0.1@@PORT2@
\ No newline at end of file
UNBOUND_PORT=$RND_PORT
UNBOUND_PORT2=$(($RND_PORT + 1))
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
-echo "UNBOUND_PORT=2=$UNBOUND_PORT2" >> .tpkg.var.test
+echo "UNBOUND_PORT2=$UNBOUND_PORT2" >> .tpkg.var.test
# rewrite config file with created ports
-sed -e 's/@PORT\@/'$UNBOUND_PORT'/' < ede.conf > ub.conf
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/g; s/@PORT2\@/'$UNBOUND_PORT2'/g' < ede.conf > ub.conf
sed -e 's/@PORT2\@/'$UNBOUND_PORT2'/' < ede-auth.conf > ub2.conf
# start unbound in the background
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
-# start "authoritative unbound" in the background
-$PRE/unbound -d -c ub.conf > unbound.log 2>&1 &
-UNBOUND_PID2=$!
-echo "UNBOUND_PID2=$UNBOUND_PID2" >> .tpkg.var.test
-
-
# query with bad edns keepalive
dig @127.0.0.1 -p $UNBOUND_PORT +tcp +ednsopt=11:010203 > keepalive.txt
# local data forged answer
dig @127.0.0.1 -p $UNBOUND_PORT hopsa.nlnetlabs.nl TXT
+#@TODO write actual test
+
# ACL refused, EDE prohibited
-dig @127.0.0.1 -b 127.0.0.2 example.com > refused.txt
+dig @127.0.0.1 -p $UNBOUND_PORT -b 127.0.0.2 example.com > refused.txt
if ! grep -q "OPT=15: 00 12" refused.txt
then
fi
+# start authoritative unbound in the background
+$PRE/unbound -d -c ub.conf > unbound.log 2>&1 &
+UNBOUND_PID2=$!
+echo "UNBOUND_PID2=$UNBOUND_PID2" >> .tpkg.var.test
+
+# DNSSEC failure: key not incepted
+dig @127.0.0.1 -p $UNBOUND_PORT notyetincepted.dnssec-failures.test. TXT +dnssec > notyetincepted.txt
+
+if ! grep -q "OPT=15: 00 08" notyetincepted.txt
+then
+ echo "Signature not yet valid does not return EDE Signature Not Yet Valid"
+ exit 1
+fi
+
+dig @127.0.0.1 -p $UNBOUND_PORT expired.dnssec-failures.test. TXT +dnssec > expired.txt
+
+if ! grep -q "OPT=15: 00 07" expired.txt
+then
+ echo "Expired signature does not return EDE Signature expired"
+ exit 1
+fi
# DNSSEC indeterminate
projects / thirdparty / unbound.git / commitdiff
