From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 17 Sep 2007 14:03:35 +0000 (+0000)
Subject: namerror nsec3 proof works.
X-Git-Tag: release-0.5~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6510d8f20ad929c4de6e02c23e6dc3a18cd36155;p=thirdparty%2Funbound.git

namerror nsec3 proof works.


git-svn-id: file:///svn/unbound/trunk@616 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index 25cc91b8f..1f9ebf78c 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,6 @@
 17 September 2007: Wouter
 	- NSEC3 hash cache unit test.
+	- validator nsec3 nameerror test.
 
 14 September 2007: Wouter
 	- nsec3 nodata proof, nods proof, wildcard proof.
diff --git a/testcode/fake_event.c b/testcode/fake_event.c
index 977553370..2a7913e40 100644
--- a/testcode/fake_event.c
+++ b/testcode/fake_event.c
@@ -179,6 +179,7 @@ pending_find_match(struct replay_runtime* runtime, struct entry** entry,
 				p->start_step, p->end_step, (*entry)->lineno);
 			if(p->addrlen != 0)
 				log_addr("matched ip", &p->addr, p->addrlen);
+			log_pkt("matched pkt: ", (*entry)->reply_list->reply);
 			return 1;
 		}
 		p = p->next_range;
diff --git a/testcode/ldns-testpkts.c b/testcode/ldns-testpkts.c
index 5bdc85b65..b01795344 100644
--- a/testcode/ldns-testpkts.c
+++ b/testcode/ldns-testpkts.c
@@ -184,6 +184,8 @@ static void replyline(const char* line, ldns_pkt *reply)
 			ldns_pkt_set_ra(reply, true);
 		} else if(str_keyword(&parse, "AD")) {
 			ldns_pkt_set_ad(reply, true);
+		} else if(str_keyword(&parse, "DO")) {
+			ldns_pkt_set_edns_do(reply, true);
 		} else {
 			error("could not parse REPLY: '%s'", parse);
 		}
@@ -200,6 +202,8 @@ static void adjustline(const char* line, struct entry* e,
 			return;
 		if(str_keyword(&parse, "copy_id")) {
 			e->copy_id = true;
+		} else if(str_keyword(&parse, "copy_query")) {
+			e->copy_query = true;
 		} else if(str_keyword(&parse, "sleep=")) {
 			e->sleeptime = (unsigned int) strtol(parse, (char**)&parse, 10);
 			while(isspace(*parse)) 
@@ -230,6 +234,7 @@ static struct entry* new_entry()
 	e->match_transport = transport_any;
 	e->reply_list = NULL;
 	e->copy_id = false;
+	e->copy_query = false;
 	e->sleeptime = 0;
 	e->next = NULL;
 	return e;
@@ -692,6 +697,12 @@ adjust_packet(struct entry* match, ldns_pkt* answer_pkt, ldns_pkt* query_pkt)
 	/* copy & adjust packet */
 	if(match->copy_id)
 		ldns_pkt_set_id(answer_pkt, ldns_pkt_id(query_pkt));
+	if(match->copy_query) {
+		ldns_rr_list* list = ldns_pkt_get_section_clone(query_pkt,
+			LDNS_SECTION_QUESTION);
+		ldns_rr_list_deep_free(ldns_pkt_question(answer_pkt));
+		ldns_pkt_set_question(answer_pkt, list);
+	}
 	if(match->sleeptime > 0) {
 		verbose(3, "sleeping for %d seconds\n", match->sleeptime);
 		sleep(match->sleeptime);
diff --git a/testcode/ldns-testpkts.h b/testcode/ldns-testpkts.h
index 558cc7373..df9ee5237 100644
--- a/testcode/ldns-testpkts.h
+++ b/testcode/ldns-testpkts.h
@@ -54,11 +54,13 @@
 		(opcode)  QUERY IQUERY STATUS NOTIFY UPDATE
 		(rcode)   NOERROR FORMERR SERVFAIL NXDOMAIN NOTIMPL YXDOMAIN
 		 		YXRRSET NXRRSET NOTAUTH NOTZONE
-		(flags)   QR AA TC RD CD RA AD
+		(flags)   QR AA TC RD CD RA AD DO
 	REPLY ...
 	; any additional actions to do.
 	; 'copy_id' copies the ID from the query to the answer.
 	ADJUST copy_id
+	; 'copy_query' copies the query name, type and class to the answer.
+	ADJUST copy_query
 	; 'sleep=10' sleeps for 10 seconds before giving the answer (TCP is open)
 	ADJUST [sleep=<num>]    ; sleep before giving any reply
 	ADJUST [packet_sleep=<num>]  ; sleep before this packet in sequence
@@ -174,6 +176,8 @@ struct entry {
 	/** how to adjust the reply packet */
 	/** copy over the ID from the query into the answer */
 	bool copy_id; 
+	/** copy the query nametypeclass from query into the answer */
+	bool copy_query;
 	/** in seconds */
 	unsigned int sleeptime; 
 
diff --git a/testcode/pktview.c b/testcode/pktview.c
index 0b5412f0e..0b66cc912 100644
--- a/testcode/pktview.c
+++ b/testcode/pktview.c
@@ -111,8 +111,13 @@ void analyze_rdata(ldns_buffer*pkt, const ldns_rr_descriptor* desc,
 		}
 		rdf++;
 	}
-	if(rdlen)
+	if(rdlen) {
+		size_t i;
 		printf(" remain[%d]\n", (int)rdlen);
+		for(i=0; i<rdlen; i++)
+			printf(" %2.2X", (unsigned)ldns_buffer_current(pkt)[i]);
+		printf("\n");
+	}
 	else	printf("\n");
 	ldns_buffer_skip(pkt, (ssize_t)rdlen);
 }
diff --git a/testdata/val_nsec3_b1_nameerror.rpl b/testdata/val_nsec3_b1_nameerror.rpl
new file mode 100644
index 000000000..e3bcb2181
--- /dev/null
+++ b/testdata/val_nsec3_b1_nameerror.rpl
@@ -0,0 +1,115 @@
+; config options
+server:
+	trust-anchor: "example. DNSKEY  257 3 133 (AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX )"
+	val-override-date: "20120420235959"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator NSEC3 B.1 name error.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+. IN A
+SECTION AUTHORITY
+example.	IN NS	ns1.example.
+; leave out to make unbound take ns1
+;example.	IN NS	ns2.example.
+SECTION ADDITIONAL
+ns1.example.	IN A 192.0.2.1
+; leave out to make unbound take ns1
+;ns2.example.	IN A 192.0.2.2
+ENTRY_END
+RANGE_END
+
+; ns1.example.
+RANGE_BEGIN 0 100
+	ADDRESS 192.0.2.1
+
+; response to DNSKEY priming query
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example. IN DNSKEY
+SECTION ANSWER
+example. DNSKEY  256 3 133 ( AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU 5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL ExXT48OGGdbfIme5 )
+example. DNSKEY  257 3 133 ( AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX )
+example. RRSIG   DNSKEY 133 1 3600 20150420235959 ( 20051021000000 22088 example.  Xpo9ptByXb8M1JR1i0KuRmKGc/YeOLcc6Ptn RJOx6ADLSL2mU6AYX5tAJRMTKTXk6waLIaxu liqUBOkCjLUZMw== )
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA DO NXDOMAIN
+SECTION QUESTION
+a.c.x.w.example. IN A
+SECTION AUTHORITY
+example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 )
+example.       RRSIG   SOA 133 1 3600 20150420235959 20051021000000 ( 62827 example.  hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+ rynLZNqsbLm40Q== )
+
+;; NSEC3 RR that covers the "next closer" name (c.x.w.example)
+;; H(c.x.w.example) = 0va5bpr2ou0vk0lbqeeljri88laipsfh
+
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG )
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example.  rn2tv99+9StXbc7JaEnjT1+8I8f2vVOMOIbF xzlrn94lQLxEOYxQR4SrxDRP4/fC54Jui0Ix 4eI9tMfaTVgehQ== )
+
+;; NSEC3 RR that matches the closest encloser (x.w.example)
+;; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995
+
+b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
+b4um86eghhds6nea196smvmlo4ors995.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example.  GWDmUk8Sv0dxy/UZFol4Ss7Wz3wBiongcnVy strNODWwdnoO9z6pDh8JLk58ExfEgXm79i4b Ma6C/s/bkk1LvA== )
+
+;; NSEC3 RR that covers wildcard at the closest encloser (*.x.w.example)
+;; H(*.x.w.example) = 92pqneegtaue7pjatc3l3qnk738c6v5m
+
+35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
+35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example.  QrjOpXVIvodCw0O8uPMNA+yEeS/o3KKkEIPX r5DoEShq2hymAsRTc/t9BvRKpcSTExyc5m3T vYN3GgN0W/0WHQ== )
+SECTION ADDITIONAL
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.c.x.w.example. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD NXDOMAIN
+SECTION QUESTION
+a.c.x.w.example. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.       3600 IN SOA     ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 )
+SECTION ADDITIONAL
+ENTRY_END
+
+SCENARIO_END
diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
index 6474b85cf..ac255937a 100644
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@@ -47,6 +47,7 @@
 #include "util/region-allocator.h"
 #include "util/rbtree.h"
 #include "util/module.h"
+#include "util/net_help.h"
 #include "util/data/packed_rrset.h"
 #include "util/data/dname.h"
 #include "util/data/msgreply.h"
@@ -955,6 +956,7 @@ nsec3_do_prove_nameerror(struct module_env* env, struct nsec3_filter* flt,
 			"a closest encloser");
 		return sec_status_bogus;
 	}
+	log_nametypeclass(VERB_ALGO, "nsec3 namerror: proven ce=", ce.ce,0,0);
 
 	/* At this point, we know that qname does not exist. Now we need 
 	 * to prove that the wildcard does not exist. */
@@ -985,6 +987,8 @@ nsec3_prove_nameerror(struct module_env* env, struct val_env* ve,
 		return sec_status_bogus; /* no RRs */
 	if(nsec3_iteration_count_high(ve, &flt, kkey))
 		return sec_status_insecure; /* iteration count too high */
+	log_nametypeclass(VERB_ALGO, "start nsec3 nameerror proof, zone", 
+		flt.zone, 0, 0);
 	return nsec3_do_prove_nameerror(env, &flt, &ct, qinfo);
 }
 
diff --git a/validator/validator.c b/validator/validator.c
index 8617faf10..f1cf63a83 100644
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -679,6 +679,8 @@ validate_nameerror_response(struct module_env* env, struct val_env* ve,
 				chase_reply->security));
 			return;
 		}
+		has_valid_nsec = 1;
+		has_valid_wnsec = 1;
 	}
 
 	/* If the message fails to prove either condition, it is bogus. */