From: Remi Gacogne Date: Fri, 1 Mar 2024 14:54:40 +0000 (+0100) Subject: rec: Add a unit test for the gathering of denial of existence proof for wildcard... X-Git-Tag: dnsdist-1.10.0-alpha0~20^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bedfbaa1912ee464a61dc7996341574040fab84a;p=thirdparty%2Fpdns.git rec: Add a unit test for the gathering of denial of existence proof for wildcard-expanded names --- diff --git a/pdns/recursordist/test-syncres_cc3.cc b/pdns/recursordist/test-syncres_cc3.cc index 1bb73faa60..1edc99c70d 100644 --- a/pdns/recursordist/test-syncres_cc3.cc +++ b/pdns/recursordist/test-syncres_cc3.cc @@ -1257,6 +1257,79 @@ BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec_nodata_bogus) BOOST_CHECK_EQUAL(queriesCount, 4U); } +BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec_cname_wildcard_expanded) +{ + std::unique_ptr sr; + initSR(sr, true); + + setDNSSECValidation(sr, DNSSECMode::ValidateAll); + + primeHints(); + /* unsigned */ + const DNSName target("test."); + /* signed */ + const DNSName cnameTarget("cname."); + testkeysset_t keys; + + auto luaconfsCopy = g_luaconfs.getCopy(); + luaconfsCopy.dsAnchors.clear(); + generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors); + generateKeyMaterial(cnameTarget, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys); + g_luaconfs.setState(luaconfsCopy); + + const ComboAddress forwardedNS("192.0.2.42:53"); + size_t queriesCount = 0; + + SyncRes::AuthDomain ad; + ad.d_rdForward = true; + ad.d_servers.push_back(forwardedNS); + (*SyncRes::t_sstorage.domainmap)[g_rootdnsname] = ad; + + sr->setAsyncCallback([&](const ComboAddress& address, const DNSName& domain, int type, bool /* doTCP */, bool sendRDQuery, int /* EDNS0Level */, struct timeval* /* now */, boost::optional& /* srcmask */, const ResolveContext& /* context */, LWResult* res, bool* /* chained */) { + queriesCount++; + + BOOST_CHECK_EQUAL(sendRDQuery, true); + + if (address != forwardedNS) { + return LWResult::Result::Timeout; + } + + if (type == QType::DS || type == QType::DNSKEY) { + return genericDSAndDNSKEYHandler(res, domain, DNSName("."), type, keys); + } + + if (domain == target && type == QType::A) { + + setLWResult(res, 0, false, false, true); + addRecordToLW(res, target, QType::CNAME, cnameTarget.toString()); + addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1"); + /* the RRSIG proves that the cnameTarget was expanded from a wildcard */ + addRRSIG(keys, res->d_records, cnameTarget, 300, false, boost::none, DNSName("*")); + /* we need to add the proof that this name does not exist, so the wildcard may apply */ + addNSECRecordToLW(DNSName("cnamd."), DNSName("cnamf."), {QType::A, QType::NSEC, QType::RRSIG}, 60, res->d_records); + addRRSIG(keys, res->d_records, cnameTarget, 300); + + return LWResult::Result::Success; + } + return LWResult::Result::Timeout; + }); + + vector ret; + int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NoError); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); + BOOST_REQUIRE_EQUAL(ret.size(), 5U); + BOOST_CHECK_EQUAL(queriesCount, 5U); + + /* again, to test the cache */ + ret.clear(); + res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NoError); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); + BOOST_REQUIRE_EQUAL(ret.size(), 5U); + BOOST_CHECK_EQUAL(queriesCount, 5U); +} + BOOST_AUTO_TEST_CASE(test_auth_zone_oob) { std::unique_ptr sr;