From: Remi Gacogne Date: Wed, 17 May 2017 16:53:57 +0000 (+0200) Subject: rec: Validate lack of DS record X-Git-Tag: rec-4.1.0-alpha1~50^2~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88cb0fe0b0d422ebd9fdc661b9546ae38955946b;p=thirdparty%2Fpdns.git rec: Validate lack of DS record --- diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc index 947c27ee0b..6adc31cf94 100644 --- a/pdns/recursordist/test-syncres_cc.cc +++ b/pdns/recursordist/test-syncres_cc.cc @@ -4929,7 +4929,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_skipped_cut) { return 1; } } - else if (domain == target) { + else { if (isRootServer(ip)) { setLWResult(res, 0, false, false, true); addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); @@ -5000,8 +5000,17 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_ta_skipped_cut) { queriesCount++; if (type == QType::DS) { - setLWResult(res, 0, false, false, true); - addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); + if (domain == DNSName("www.sub.powerdns.com")) { + setLWResult(res, 0, false, false, true); + addRecordToLW(res, DNSName("sub.powerdns.com"), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); + addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300); + addNSECRecordToLW(DNSName("www.sub.powerdns.com"), DNSName("vww.sub.powerdns.com."), { QType::A }, 600, res->d_records); + addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300); + } + else { + setLWResult(res, 0, false, false, true); + addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); + } return 1; } else if (type == QType::DNSKEY) { @@ -5012,7 +5021,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_ta_skipped_cut) { return 1; } } - else if (domain == target) { + else { if (isRootServer(ip)) { setLWResult(res, 0, false, false, true); addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); @@ -5023,15 +5032,39 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_ta_skipped_cut) { return 1; } else if (ip == ComboAddress("192.0.2.1:53")) { - setLWResult(res, 0, false, false, true); - addRecordToLW(res, DNSName("powerdns.com."), QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); - addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); + if (domain == DNSName("com.")) { + setLWResult(res, 0, true, false, true); + addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com."); + addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); + } + else if (domain == DNSName("powerdns.com.")) { + setLWResult(res, 0, false, false, true); + addRecordToLW(res, DNSName("powerdns.com."), QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); + addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); + } return 1; } else if (ip == ComboAddress("192.0.2.2:53")) { setLWResult(res, 0, true, false, true); - addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); - addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com."), 300); + if (type == QType::NS) { + if (domain == DNSName("www.sub.powerdns.com.")) { + addRecordToLW(res, DNSName("sub.powerdns.com"), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); + addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300); + addNSECRecordToLW(DNSName("www.sub.powerdns.com"), DNSName("vww.sub.powerdns.com."), { QType::A }, 600, res->d_records); + addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300); + } + else if (domain == DNSName("sub.powerdns.com.")) { + addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); + addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com."), 300); + } + else if (domain == DNSName("powerdns.com.")) { + addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); + } + } + else if (domain == DNSName("www.sub.powerdns.com.")) { + addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); + addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com."), 300); + } return 1; } } @@ -5043,7 +5076,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_ta_skipped_cut) { int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); - BOOST_REQUIRE_EQUAL(ret.size(), 1); + BOOST_REQUIRE_EQUAL(ret.size(), 2); BOOST_CHECK(ret[0].d_type == QType::A); BOOST_CHECK_EQUAL(queriesCount, 5); @@ -5052,7 +5085,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_ta_skipped_cut) { res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); - BOOST_REQUIRE_EQUAL(ret.size(), 1); + BOOST_REQUIRE_EQUAL(ret.size(), 2); BOOST_CHECK(ret[0].d_type == QType::A); BOOST_CHECK_EQUAL(queriesCount, 5); } @@ -5600,7 +5633,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_secure_cname) { BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_insecure_cname) { std::unique_ptr sr; - initSR(sr, true); + initSR(sr, true, true); g_dnssecmode = DNSSECMode::ValidateAll; @@ -5655,26 +5688,41 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_insecure_cname) { return 1; } else if (ip == ComboAddress("192.0.2.1:53")) { - setLWResult(res, 0, false, false, true); - addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); - if (domain == DNSName("powerdns.com.")) { - addDS(DNSName("powerdns.com."), 300, res->d_records, keys); + if (domain == DNSName("com.")) { + setLWResult(res, 0, true, false, true); + addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); + addRRSIG(keys, res->d_records, DNSName("com."), 300); + addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); + addRRSIG(keys, res->d_records, DNSName("com."), 300); } - else if (domain == targetCName) { - addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records); + else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) { + setLWResult(res, 0, false, false, true); + addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); + if (domain == DNSName("powerdns.com.")) { + addDS(DNSName("powerdns.com."), 300, res->d_records, keys); + } + else if (domain == targetCName) { + addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records); + } + addRRSIG(keys, res->d_records, DNSName("com."), 300); + addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); } - addRRSIG(keys, res->d_records, DNSName("com."), 300); - addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); return 1; } else if (ip == ComboAddress("192.0.2.2:53")) { setLWResult(res, 0, true, false, true); - if (domain == DNSName("powerdns.com.")) { - addRecordToLW(res, domain, QType::CNAME, targetCName.toString()); - /* No RRSIG -> Bogus */ + if (type == QType::NS) { + addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); + addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); } - else if (domain == targetCName) { - addRecordToLW(res, domain, QType::A, targetCNameAddr.toString()); + else { + if (domain == DNSName("powerdns.com.")) { + addRecordToLW(res, domain, QType::CNAME, targetCName.toString()); + /* No RRSIG -> Bogus */ + } + else if (domain == targetCName) { + addRecordToLW(res, domain, QType::A, targetCNameAddr.toString()); + } } return 1; } @@ -5737,7 +5785,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta) { return 1; } } - else if (domain == target) { + else { if (isRootServer(ip)) { setLWResult(res, 0, false, false, true); addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); @@ -5747,14 +5795,26 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta) { return 1; } else if (ip == ComboAddress("192.0.2.1:53")) { - setLWResult(res, 0, false, false, true); - addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); - addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); + if (target == domain) { + setLWResult(res, 0, false, false, true); + addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600); + addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); + } + else if (domain == DNSName("com.")) { + setLWResult(res, 0, true, false, true); + addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); + addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); + } return 1; } else if (ip == ComboAddress("192.0.2.2:53")) { setLWResult(res, 0, true, false, true); - addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); + if (type == QType::NS) { + addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com."); + } + else { + addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); + } addRRSIG(keys, res->d_records, domain, 300); return 1; } @@ -5771,8 +5831,12 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta) { /* We got a RRSIG */ BOOST_REQUIRE_EQUAL(ret.size(), 2); BOOST_CHECK(ret[0].d_type == QType::A); - /* only 4 because no DNSKEY query for com (insecure) */ - BOOST_CHECK_EQUAL(queriesCount, 4); + /* - NS com. (at . and com.) + - NS powerdns.com (com. and powerdns.com.) + - DNSKEY (. and powerdns.com.) + - A powerdns.com + */ + BOOST_CHECK_EQUAL(queriesCount, 7); /* again, to test the cache */ ret.clear(); @@ -5781,7 +5845,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta) { BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2); BOOST_CHECK(ret[0].d_type == QType::A); - BOOST_CHECK_EQUAL(queriesCount, 4); + BOOST_CHECK_EQUAL(queriesCount, 7); } BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta_norrsig) { @@ -5839,7 +5903,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta_norrsig) { else if (domain == DNSName("com.")) { setLWResult(res, 0, true, false, true); addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com."); - addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600); + addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); } return 1; } @@ -5867,8 +5931,12 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta_norrsig) { /* No RRSIG */ BOOST_REQUIRE_EQUAL(ret.size(), 1); BOOST_CHECK(ret[0].d_type == QType::A); - /* only 3 because no DNSKEY query for com (insecure) and no RRSIG meaning no DNSKEY for powerdns.com */ - BOOST_CHECK_EQUAL(queriesCount, 3); + /* - NS com. (at . and com.) + - NS powerdns.com (com. and powerdns.com.) + - DNSKEY (.) + - A powerdns.com (no DNSKEY because no RRSIG) + */ + BOOST_CHECK_EQUAL(queriesCount, 6); /* again, to test the cache */ ret.clear(); @@ -5877,7 +5945,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta_norrsig) { BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); BOOST_REQUIRE_EQUAL(ret.size(), 1); BOOST_CHECK(ret[0].d_type == QType::A); - BOOST_CHECK_EQUAL(queriesCount, 3); + BOOST_CHECK_EQUAL(queriesCount, 6); } #if 0 diff --git a/pdns/syncres.cc b/pdns/syncres.cc index 2e8ca341f2..5efdcfeccb 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -1790,16 +1790,19 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr "Glue address RRsets associated with delegations MUST NOT be signed" */ if (i->first.type == QType::DNSKEY && i->first.place == DNSResourceRecord::ANSWER) { + LOG("Validating DNSKEY for "<first.name<first.name, i->second.records, i->second.signatures, depth); } else { + LOG("Validating non-additional record for "<first.name<first.name, i->second.records, i->second.signatures); } } } else { - /* for non authoritative answer, we only care about the DS record */ - if (i->first.type == QType::DS && i->first.place == DNSResourceRecord::AUTHORITY) { + /* for non authoritative answer, we only care about the DS record (or lack of) */ + if ((i->first.type == QType::DS || i->first.type == QType::NSEC || i->first.type == QType::NSEC3) && i->first.place == DNSResourceRecord::AUTHORITY) { + LOG("Validating DS record for "<first.name<first.name, i->second.records, i->second.signatures); } }