From: TCY16 <tom@nlnetlabs.nl>
Date: Wed, 8 Sep 2021 14:38:33 +0000 (+0200)
Subject: add DNSSEC indeterminate EDE and DNAME expansion test
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9df75a842bc5f30e5323805da1b5838e9fc7f3c3;p=thirdparty%2Funbound.git

add DNSSEC indeterminate EDE and DNAME expansion test
---

diff --git a/daemon/worker.c b/daemon/worker.c
index ae2e44a87..c059214ef 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -502,6 +502,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 			secure = 1;
 			break;
 		case sec_status_indeterminate:
+			EDNS_OPT_APPEND_EDE(edns, worker->scratchpad,
+				LDNS_EDE_DNSSEC_INDETERMINATE, "");
 		case sec_status_insecure:
 		default:
 			/* not secure */
diff --git a/services/rpz.c b/services/rpz.c
index 1268a9a06..f7ed0cfc0 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -1037,8 +1037,6 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
 		return 0;
 	}
 
-
-	// @TODO: Find out if it's local answer of blocked; if blocked then EDE: blocked
 	if(lzt == local_zone_redirect && local_data_answer(z, env, qinfo,
 		edns, repinfo, buf, temp, dname_count_labels(qinfo->qname),
 		&ld, lzt, -1, NULL, 0, NULL, 0)) {
@@ -1052,6 +1050,8 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
 		return !qinfo->local_alias;
 	}
 
+	// @TODO: Find out if it's local answer or blocked; if blocked then EDE: blocked
+	// -> we do that in this function
 	ret = local_zones_zone_answer(z, env, qinfo, edns, repinfo, buf, temp,
 		0 /* no local data used */, lzt);
 	if(r->log)
diff --git a/testdata/ede.tdir/ede.conf b/testdata/ede.tdir/ede.conf
index e5b0f73f5..eb07ba4c2 100644
--- a/testdata/ede.tdir/ede.conf
+++ b/testdata/ede.tdir/ede.conf
@@ -16,6 +16,7 @@ server:
 	local-zone: hopsa.kidee. always_refuse
 	local-data: "hopsa.kidee. TXT hela hola"
 
-rpz:
-	name: rpz.nlnetlabs.nl
-	zonefile: rpz.nlnetlabs.nl
\ No newline at end of file
+	local-zone: uva.nl. always_null
+
+	local-zone: example.com redirect
+	local-data: "example.com CNAME *.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa."
\ No newline at end of file
diff --git a/testdata/ede.tdir/ede.test b/testdata/ede.tdir/ede.test
index 5167a32cc..c81d7f89f 100644
--- a/testdata/ede.tdir/ede.test
+++ b/testdata/ede.tdir/ede.test
@@ -50,10 +50,37 @@ fi
 
 
 # DNAME expansion
+# @TODO do we have this?
 
-# RPZ
 
+# RPZ DNAME expansion too long
+dig @127.0.0.1 -p $UNBOUND_PORT www.qhqwer.qwer.qwer.h.example.com A > dname_expansion.txt
 
+if ! grep -q "OPT=15: 00 00 44 4e 41 4d 45 20 65 78 70 61 6e 73 69 6f 6e 20 62 65 63 61 6d 65 20 74 6f 6f 20 6c 61 72 67 65" dname_expansion.txt
+then
+	echo "No DNAME expansion for CNAME EDE message"
+	exit 1
+fi
+
+# RPZ always_null gets EDE forged
+dig @127.0.0.1 -p $UNBOUND_PORT uva.nl A > always_null_forged.txt
+
+if ! grep -q "OPT=15: 00 04" always_null_forged.txt
+then
+	echo "local-zone always_null must have EDE forged code"
+	exit 1
+fi
+
+# RPZ always_refuse
+dig @127.0.0.1 -p $UNBOUND_PORT hopsa.kidee. A > always_refuse_forged.txt
+
+if ! grep -q "OPT=15: 00 04" always_refuse_forged.txt
+then
+	echo "local-zone always_null must have EDE blocked code"
+	exit 1
+fi
+
+dig @localhost hopsa.kidee. A
 
 
 # teardown
diff --git a/testdata/ede.tdir/rpz.nlnetlabs.nl b/testdata/ede.tdir/rpz.nlnetlabs.nl
deleted file mode 100644
index 3326bdb92..000000000
--- a/testdata/ede.tdir/rpz.nlnetlabs.nl
+++ /dev/null
@@ -1,4 +0,0 @@
-$ORIGIN rpz.nlnetlabs.nl.
-
-drop.example.com.rpz.nlnetlabs.nl. CNAME rpz-drop.
-32.34.216.184.93.rpz-ip.rpz.nlnetlabs.nl. A 192.0.2.1
\ No newline at end of file