expand ede.tdir to do validator test for DNSKEY, RRSIG and NSEC missing

diff --git a/testdata/ede.tdir/bogus/clean.sh b/testdata/ede.tdir/bogus/clean.sh
index b133e862a16a202c4f0d8db4b84496f519aeba35..54128f807217548f8024200427f0d1339621e38b 100755 (executable)
--- a/testdata/ede.tdir/bogus/clean.sh
+++ b/testdata/ede.tdir/bogus/clean.sh
@@ -1 +1 @@
-rm -f K* piece1 base expired notyetincepted trust-anchors dnssec-failures.zone.signed
\ No newline at end of file
+rm -f K* piece1 base expired notyetincepted trust-anchors dnssec-failures.test.signed dnskey-failures.test.signed nsec-failures.test.signed rrsig-failures.test.signed

diff --git a/testdata/ede.tdir/bogus/dnskey-failures.test b/testdata/ede.tdir/bogus/dnskey-failures.test
new file mode 100644 (file)
index 0000000..49d6ad5
--- /dev/null
+++ b/testdata/ede.tdir/bogus/dnskey-failures.test
@@ -0,0 +1,10 @@
+$ORIGIN dnskey-failures.test.
+
+@       SOA     ns      hostmaster      (
+                1       ; serial
+                14400   ; refresh (4 hours)
+                1800    ; retry (30 minutes)
+                2419200 ; expire (4 weeks)
+                300     ; minimum (5 minutes)
+)
+        A       192.0.2.1

diff --git a/testdata/ede.tdir/bogus/make-broken-zone.sh b/testdata/ede.tdir/bogus/make-broken-zone.sh
index 8298dd34d12915d318aac6cd90b7381ca63a29c5..102eba5fe45d95f99dee7121d4304c40555364ad 100755 (executable)
--- a/testdata/ede.tdir/bogus/make-broken-zone.sh
+++ b/testdata/ede.tdir/bogus/make-broken-zone.sh
@@ -1,25 +1,54 @@
 #!/usr/bin/env bash
 
+# create oudated zones
 CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnssec-failures.test`
 echo $CSK
 
 echo ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" | \
-        cat $CSK.ds - > bogus/trust-anchors
+       cat $CSK.ds - > bogus/trust-anchors
 
 ONEMONTHAGO=`date -d 'now - 1 month' +%Y%m%d`
 YESTERDAY=`date -d 'now - 2 days' +%Y%m%d`
 TOMORROW=`date -d 'now + 2 days' +%Y%m%d`
 ldns-signzone -i $YESTERDAY bogus/dnssec-failures.test $CSK -f - | \
-        grep -v '^missingrrsigs\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
-        sed 's/Signatures invalid/Signatures INVALID/g' | \
-        grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' | \
-        grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
-        grep -v '^expired\.dnssec-failures\.test\..*IN.*TXT' | \
-        grep -v '^expired\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' > base
+       grep -v '^missingrrsigs\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
+       sed 's/Signatures invalid/Signatures INVALID/g' | \
+       grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' | \
+       grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
+       grep -v '^expired\.dnssec-failures\.test\..*IN.*TXT' | \
+       grep -v '^expired\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' > base
 ldns-signzone -i $ONEMONTHAGO -e $YESTERDAY bogus/dnssec-failures.test $CSK -f - | \
-        grep -v '[      ]NSEC[  ]' | \
-        grep '^expired\.dnssec-failures\.test\..*IN.*TXT' > expired
+       grep -v '[      ]NSEC[  ]' | \
+       grep '^expired\.dnssec-failures\.test\..*IN.*TXT' > expired
 ldns-signzone -i $TOMORROW bogus/dnssec-failures.test $CSK -f - | \
-        grep -v '[      ]NSEC[  ]' | \
-        grep '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' > notyetincepted
-cat base expired notyetincepted > bogus/dnssec-failures.test.signed && rm -f base expired notyetincepted $CSK.*
+       grep -v '[      ]NSEC[  ]' | \
+       grep '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' > notyetincepted
+
+cat base expired notyetincepted > bogus/dnssec-failures.test.signed
+
+# create zone with DNSKEY missing
+CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnskey-failures.test`
+echo $CSK
+cat $CSK.ds >> bogus/trust-anchors
+
+ldns-signzone bogus/dnskey-failures.test $CSK -f tmp.signed
+grep -v '      DNSKEY  ' tmp.signed > bogus/dnskey-failures.test.signed
+
+# create zone with NSEC missing
+CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom nsec-failures.test`
+echo $CSK
+cat $CSK.ds >> bogus/trust-anchors
+
+ldns-signzone bogus/nsec-failures.test $CSK -f tmp.signed
+grep -v '      NSEC    ' tmp.signed > bogus/nsec-failures.test.signed
+
+# create zone with RRSIGs missing
+CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom rrsig-failures.test`
+echo $CSK
+cat $CSK.ds >> bogus/trust-anchors
+
+ldns-signzone bogus/rrsig-failures.test $CSK -f tmp.signed
+grep -v '      RRSIG   ' tmp.signed > bogus/rrsig-failures.test.signed
+
+# cleanup
+rm -f base expired notyetincepted tmp.signed $CSK.*

diff --git a/testdata/ede.tdir/bogus/nsec-failures.test b/testdata/ede.tdir/bogus/nsec-failures.test
new file mode 100644 (file)
index 0000000..529298d
--- /dev/null
+++ b/testdata/ede.tdir/bogus/nsec-failures.test
@@ -0,0 +1,10 @@
+$ORIGIN nsec-failures.test.
+
+@       SOA     ns      hostmaster      (
+                1       ; serial
+                14400   ; refresh (4 hours)
+                1800    ; retry (30 minutes)
+                2419200 ; expire (4 weeks)
+                300     ; minimum (5 minutes)
+)
+        A       192.0.2.1

diff --git a/testdata/ede.tdir/bogus/rrsig-failures.test b/testdata/ede.tdir/bogus/rrsig-failures.test
new file mode 100644 (file)
index 0000000..cab0b7f
--- /dev/null
+++ b/testdata/ede.tdir/bogus/rrsig-failures.test
@@ -0,0 +1,10 @@
+$ORIGIN rrsig-failures.test.
+
+@       SOA     ns      hostmaster      (
+                1       ; serial
+                14400   ; refresh (4 hours)
+                1800    ; retry (30 minutes)
+                2419200 ; expire (4 weeks)
+                300     ; minimum (5 minutes)
+)
+        A       192.0.2.1

diff --git a/testdata/ede.tdir/ede-auth.conf b/testdata/ede.tdir/ede-auth.conf
index 792f5b46badd9ea05f4cc10b8cecfaf7c45c8adb..6620cfc9cf23e0395c60cf6ddbe2c843c265c215 100644 (file)
--- a/testdata/ede.tdir/ede-auth.conf
+++ b/testdata/ede.tdir/ede-auth.conf
@@ -9,4 +9,17 @@ server:
 
 auth-zone:
         name: "dnssec-failures.test"
-        zonefile: "bogus/dnssec-failures.test.signed"
\ No newline at end of file
+        zonefile: "bogus/dnssec-failures.test.signed"
+
+auth-zone:
+        name: "dnskey-failures.test"
+        zonefile: "bogus/dnskey-failures.test.signed"
+
+auth-zone:
+        name: "nsec-failures.test"
+        zonefile: "bogus/nsec-failures.test.signed"
+
+auth-zone:
+        name: "rrsig-failures.test"
+        zonefile: "bogus/rrsig-failures.test.signed"
+

diff --git a/testdata/ede.tdir/ede.conf b/testdata/ede.tdir/ede.conf
index 1bf3cb7cd783f2a6920c8942a63cfe40057f8d9c..84bf6c3ee131374ab9f20fc86c8f438be2720603 100644 (file)
--- a/testdata/ede.tdir/ede.conf
+++ b/testdata/ede.tdir/ede.conf
@@ -8,6 +8,7 @@ server:
        chroot: ""
        username: ""
        directory: ""
+       val-log-level: 2
 
        # @TODO change this to local file
        #auto-trust-anchor-file: "/var/lib/unbound/root.key"
@@ -36,4 +37,17 @@ server:
 
 forward-zone:
        name: "dnssec-failures.test"
-       forward-addr: 127.0.0.1@@PORT2@
\ No newline at end of file
+       forward-addr: 127.0.0.1@@PORT2@
+
+forward-zone:
+       name: "dnskey-failures.test"
+       forward-addr: 127.0.0.1@@PORT2@
+
+forward-zone:
+       name: "nsec-failures.test"
+       forward-addr: 127.0.0.1@@PORT2@
+
+forward-zone:
+       name: "rrsig-failures.test"
+       forward-addr: 127.0.0.1@@PORT2@
+

diff --git a/testdata/ede.tdir/ede.test b/testdata/ede.tdir/ede.test
index 1474ae8c403536d4a8ce8be464ad8c46f3c304a2..dac5793d1ced8b4b173437e4014d7b529bfa4e8c 100644 (file)
--- a/testdata/ede.tdir/ede.test
+++ b/testdata/ede.tdir/ede.test
@@ -30,7 +30,7 @@ $PRE/unbound -d -c ub2.conf > unbound.log 2>&1 &
 UNBOUND_PID2=$!
 echo "UNBOUND_PID2=$UNBOUND_PID2" >> .tpkg.var.test
 
-# @TODO did we fix this?
+# @TODO did we fix this? -> we do not trigger this anymore
 # # query with bad edns keepalive
 # dig @127.0.0.1 -p $UNBOUND_PORT +tcp +ednsopt=11:010203 > keepalive.txt
 #
@@ -46,15 +46,17 @@ dig @127.0.0.1 -p $UNBOUND_PORT +norec > snoop.txt
 if ! grep -q "OPT=15: 00 14" snoop.txt
 then
        echo "Incorect cache snoop output"
+       cat snoop.txt
        exit 1
 fi
 
-# @TODO dnssec bogus local zones something
-dig @127.0.0.1 -p $UNBOUND_PORT qwerqwer.hopsa.kidee. TXT +dnssec > bogus.txt
+# local-zone always_refuse
+dig @127.0.0.1 -p $UNBOUND_PORT qwerqwer.hopsa.kidee. TXT +dnssec > local_zone_refuse.txt
 
-if ! grep -q "OPT=15: 00 0f" bogus.txt
+if ! grep -q "OPT=15: 00 0f" local_zone_refuse.txt
 then
-       echo "Incorect DNSSEC local zone output"
+       echo "query to qwerqwer.hopsa.kidee. should be EDE blocked"
+       cat local_zone_refuse.txt
        exit 1
 fi
 
@@ -69,50 +71,59 @@ dig @127.0.0.1 -p $UNBOUND_PORT www.qhqwer.qwer.qwer.h.example.com A > dname_exp
 if ! grep -q "OPT=15: 00 00 44 4e 41 4d 45 20 65 78 70 61 6e 73 69 6f 6e 20 62 65 63 61 6d 65 20 74 6f 6f 20 6c 61 72 67 65" dname_expansion.txt
 then
        echo "No DNAME expansion for CNAME EDE message"
+       cat dname_expansion.txt
        exit 1
 fi
 
-# RPZ always_null gets EDE forged
-dig @127.0.0.1 -p $UNBOUND_PORT uva.nl A > always_null_forged.txt
+# local-zone always_null gets EDE forged
+dig @127.0.0.1 -p $UNBOUND_PORT uva.nl A > local_zone_always_null_forged.txt
 
-if ! grep -q "OPT=15: 00 04" always_null_forged.txt
+if ! grep -q "OPT=15: 00 04" local_zone_always_null_forged.txt
 then
        echo "local-zone always_null must have EDE forged code"
+       cat local_zone_always_null_forged.txt
        exit 1
 fi
 
 # RPZ always_refuse
-dig @127.0.0.1 -p $UNBOUND_PORT hopsa.kidee. A > always_refuse.txt
+dig @127.0.0.1 -p $UNBOUND_PORT hopsa.kidee. A > local_zone_rpz_always_refuse.txt
 
-if ! grep -q "OPT=15: 00 0f" always_refuse.txt
+if ! grep -q "OPT=15: 00 0f" local_zone_rpz_always_refuse.txt
 then
        echo "local-zone always_refuse must have EDE blocked code"
+       cat local_zone_rpz_always_refuse.txt
        exit 1
 fi
 
-# @TODO what does this trigger? -> ede blocked, same as bogus.txt?
-dig @127.0.0.1 -p $UNBOUND_PORT hopsa.kidee. A
-
 # @TODO trigger mesh DNSSEC bogus
+
+
 dig @127.0.0.1 -p $UNBOUND_PORT servfail.nl > servfail.txt
 
-if ! grep -q "OPT=15: 00 06" servfail.txt
+if ! grep -q "OPT=15: 00 07" servfail.txt
 then
-       echo "query to servfail.nl should return EDE DNSSEC bogus"
+       echo "query to servfail.nl should return EDE signature expired"
+       cat servfail.txt
        exit 1
 fi
 
 # local data forged answer
-#dig @127.0.0.1 -p $UNBOUND_PORT hopsa.nlnetlabs.nl TXT
+dig @127.0.0.1 -p $UNBOUND_PORT hopsa.nlnetlabs.nl TXT > local_data_forged.txt
 
-#@TODO write actual test
+if ! grep -q "OPT=15: 00 04" local_data_forged.txt
+then
+       echo "query to hopsa.nlnetlabs.nl does not give EDE forged"
+       cat local_data_forged.txt
+       exit 1
+fi
 
 # ACL refused, EDE prohibited
-dig @127.0.0.1 -p $UNBOUND_PORT -b 127.0.0.2 example.com > refused.txt
+dig @127.0.0.1 -p $UNBOUND_PORT -b 127.0.0.2 example.com > acl_refused.txt
 
-if ! grep -q "OPT=15: 00 12" refused.txt
+if ! grep -q "OPT=15: 00 12" acl_refused.txt
 then
        echo "ACL refused does not give EDE prohibited"
+       cat acl_refused.txt
        exit 1
 fi
 
@@ -123,32 +134,70 @@ UNBOUND_PID2=$!
 echo "UNBOUND_PID2=$UNBOUND_PID2" >> .tpkg.var.test
 
 # DNSSEC failure: key not incepted
-dig @127.0.0.1 -p $UNBOUND_PORT notyetincepted.dnssec-failures.test. TXT +dnssec > notyetincepted.txt
+dig @127.0.0.1 -p $UNBOUND_PORT notyetincepted.dnssec-failures.test. TXT +dnssec > sig_notyetincepted.txt
 
-if ! grep -q "OPT=15: 00 08" notyetincepted.txt
+if ! grep -q "OPT=15: 00 08" sig_notyetincepted.txt
 then
        echo "Signature not yet valid does not return EDE Signature Not Yet Valid"
+       cat sig_notyetincepted.txt
        exit 1
 fi
 
-dig @127.0.0.1 -p $UNBOUND_PORT expired.dnssec-failures.test. TXT +dnssec > expired.txt
+# DNSSEC failure: key expired
+dig @127.0.0.1 -p $UNBOUND_PORT expired.dnssec-failures.test. TXT +dnssec > sig_expired.txt
 
-if ! grep -q "OPT=15: 00 07" expired.txt
+if ! grep -q "OPT=15: 00 07" sig_expired.txt
 then
        echo "Expired signature does not return EDE Signature expired"
+       cat sig_expired.txt
        exit 1
 fi
 
-# DNSSEC indeterminate
+# DNSSEC failure: missing rrsigs
+dig @127.0.0.1 -p $UNBOUND_PORT missingrrsigs.dnssec-failures.test. TXT +dnssec > missingrrsigs.txt
+
+if ! grep -q "OPT=15: 00 0a" missingrrsigs.txt
+then
+       echo "Expired signature does not return EDE RRSIGs missing"
+       cat missingrrsigs.txt
+       exit 1
+fi
+
+# signed zone with DNSKEY missing
+dig @127.0.0.1 -p $UNBOUND_PORT dnskey-failures.test > dnskey-failure.txt
+
+if ! grep -q "OPT=15: 00 09" dnskey-failure.txt
+then
+       echo "Expired signature does not return EDE DNSKEY missing"
+       cat dnskey-failure.txt
+       exit 1
+fi
+
+# signed zone with RRSIGs missing
+dig @127.0.0.1 -p $UNBOUND_PORT rrsig-failures.test > rrsig-failure.txt
+
+if ! grep -q "OPT=15: 00 0a" rrsig-failure.txt
+then
+       echo "Expired signature does not return EDE RRSIGs missing"
+       cat rrsig-failure.txt
+       exit 1
+fi
+
+# signed zone with NSEC missing
+dig @127.0.0.1 -p $UNBOUND_PORT nsec-failures.test > nsec-failure.txt
+
+if ! grep -q "OPT=15: 00 0c" nsec-failure.txt
+then
+       echo "Expired signature does not return EDE NSEC missing"
+       cat nsec-failure.txt
+       exit 1
+fi
 
-# ZONE KEY TOEVOEGEN AAN UNBOUND
-# SIGNEN MET LDNS SIGNER
-# MAKE ZONE RECORD WITH EXPIRED AND NOT INCEPTED RECORD
-# zone aanmaken met auth-zone op een tweede unbound
 
+# @TODO DNSSEC indeterminate
 
 
 
 # teardown
 kill_pid $UNBOUND_PID
-kill_pid $UNBOUND_PID2
\ No newline at end of file
+kill_pid $UNBOUND_PID2