From: Wouter Wijngaards Date: Tue, 18 Sep 2007 08:28:35 +0000 (+0000) Subject: wildcard nsec3 tests. X-Git-Tag: release-0.5~23 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c4392dd54c30d9b03dac23ef1c185e71f6596ad3;p=thirdparty%2Funbound.git wildcard nsec3 tests. git-svn-id: file:///svn/unbound/trunk@618 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 1f9ebf78c..72313047c 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +18 September 2007: Wouter + - wildcard nsec3 testcases, and fixup to get correct wildcard name. + 17 September 2007: Wouter - NSEC3 hash cache unit test. - validator nsec3 nameerror test. diff --git a/testdata/val_nsec3_b4_wild.rpl b/testdata/val_nsec3_b4_wild.rpl new file mode 100644 index 000000000..1bb04b5bb --- /dev/null +++ b/testdata/val_nsec3_b4_wild.rpl @@ -0,0 +1,137 @@ +; config options +server: + trust-anchor: "example. DNSKEY 257 3 133 (AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX )" + val-override-date: "20120420235959" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test validator NSEC3 B.4 wildcard expansion. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +. IN A +SECTION AUTHORITY +example. IN NS ns1.example. +; leave out to make unbound take ns1 +;example. IN NS ns2.example. +SECTION ADDITIONAL +ns1.example. IN A 192.0.2.1 +; leave out to make unbound take ns1 +;ns2.example. IN A 192.0.2.2 +ENTRY_END +RANGE_END + +; ns1.example. +RANGE_BEGIN 0 100 + ADDRESS 192.0.2.1 + +; response to DNSKEY priming query + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example. IN DNSKEY +SECTION ANSWER +example. DNSKEY 256 3 133 ( AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU 5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL ExXT48OGGdbfIme5 ) +example. DNSKEY 257 3 133 ( AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX ) +example. RRSIG DNSKEY 133 1 3600 20150420235959 ( 20051021000000 22088 example. Xpo9ptByXb8M1JR1i0KuRmKGc/YeOLcc6Ptn RJOx6ADLSL2mU6AYX5tAJRMTKTXk6waLIaxu liqUBOkCjLUZMw== ) +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +a.z.w.example. IN MX +SECTION ANSWER +a.z.w.example. MX 1 ai.example. +a.z.w.example. RRSIG MX 133 2 3600 20150420235959 20051021000000 ( 62827 example. DnT0Y6dRBM8f3v8HdKmZUsGVkXh+b+htujCR c423x6c8erEMGVnxcrmcrZ53qGXcMYJ+TDkq a7Xfz/f9xzvSTw== ) +SECTION AUTHORITY +example. NS ns1.example. +example. NS ns2.example. +example. RRSIG NS 133 1 3600 20150420235959 20051021000000 ( 62827 example. D9+iBwcbeKL5+TorTfYn4/pLr2lSFwyGYCyM gfq4TpFaZpxrCJPLxHbKjdkR18jAt7+SR7B5 JpiZcff2Cj2B0w== ) + +;; NSEC3 RR that covers the "next closer" name (z.w.example) +;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03 +q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd ( r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG ) +q04jkcevqvmu85r014c7dkba38o0ji5r.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. ktIfH8VRjEKYPB0Qf4EdTuSlYn4DVSRRaGWc kVGmKzreEU5zs97CL8OQSa6C0JZX2yMBXijC Wu6EvgCXrflgiQ== ) + +SECTION ADDITIONAL +ai.example. A 192.0.2.9 +ai.example. RRSIG A 133 2 3600 20150420235959 20051021000000 ( 62827 example. qfXAvKr5o3Jixy5KXnVMEhABo3DDHYSR5+Ag lVxWCExWGMokdkafjW8Hb54+GrOFp/xmDoj5 BXfXAqURwLqznA== ) +ai.example. AAAA 2001:db8:0:0:0:0:f00:baa9 +ai.example. RRSIG AAAA 133 2 3600 20150420235959 ( 20051021000000 62827 example. m65zc0A16Xbx3jYb0t5vPwMzE2xS15mKh76M hSuKfiFVhBFcQ9IilEM0pXnLzt3ozrM/3X0x 2ruyuN0zC+PABA== ) +ENTRY_END + +; catch glue queries +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +ns2.example. IN A +SECTION ANSWER +; nothing to make sure the ns1 server is used for queries. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +ns2.example. IN AAAA +SECTION ANSWER +; nothing to make sure the ns1 server is used for queries. +ENTRY_END + + +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.z.w.example. IN MX +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD NOERROR +SECTION QUESTION +a.z.w.example. IN MX +SECTION ANSWER +a.z.w.example. MX 1 ai.example. +SECTION AUTHORITY +example. NS ns1.example. +example. NS ns2.example. +SECTION ADDITIONAL +ai.example. A 192.0.2.9 +ai.example. AAAA 2001:db8:0:0:0:0:f00:baa9 +ENTRY_END + +SCENARIO_END diff --git a/testdata/val_nsec3_b4_wild_wr.rpl b/testdata/val_nsec3_b4_wild_wr.rpl new file mode 100644 index 000000000..93461ef85 --- /dev/null +++ b/testdata/val_nsec3_b4_wild_wr.rpl @@ -0,0 +1,136 @@ +; config options +server: + trust-anchor: "example. DNSKEY 257 3 133 (AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX )" + val-override-date: "20120420235959" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test validator NSEC3 B.4 wildcard expansion, wrong NSEC3. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +. IN A +SECTION AUTHORITY +example. IN NS ns1.example. +; leave out to make unbound take ns1 +;example. IN NS ns2.example. +SECTION ADDITIONAL +ns1.example. IN A 192.0.2.1 +; leave out to make unbound take ns1 +;ns2.example. IN A 192.0.2.2 +ENTRY_END +RANGE_END + +; ns1.example. +RANGE_BEGIN 0 100 + ADDRESS 192.0.2.1 + +; response to DNSKEY priming query + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example. IN DNSKEY +SECTION ANSWER +example. DNSKEY 256 3 133 ( AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU 5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL ExXT48OGGdbfIme5 ) +example. DNSKEY 257 3 133 ( AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX ) +example. RRSIG DNSKEY 133 1 3600 20150420235959 ( 20051021000000 22088 example. Xpo9ptByXb8M1JR1i0KuRmKGc/YeOLcc6Ptn RJOx6ADLSL2mU6AYX5tAJRMTKTXk6waLIaxu liqUBOkCjLUZMw== ) +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +a.z.w.example. IN MX +SECTION ANSWER +a.z.w.example. MX 1 ai.example. +a.z.w.example. RRSIG MX 133 2 3600 20150420235959 20051021000000 ( 62827 example. DnT0Y6dRBM8f3v8HdKmZUsGVkXh+b+htujCR c423x6c8erEMGVnxcrmcrZ53qGXcMYJ+TDkq a7Xfz/f9xzvSTw== ) +SECTION AUTHORITY +example. NS ns1.example. +example. NS ns2.example. +example. RRSIG NS 133 1 3600 20150420235959 20051021000000 ( 62827 example. D9+iBwcbeKL5+TorTfYn4/pLr2lSFwyGYCyM gfq4TpFaZpxrCJPLxHbKjdkR18jAt7+SR7B5 JpiZcff2Cj2B0w== ) + +;; NSEC3 RR that covers the "next closer" name (z.w.example) +;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03 +;q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd ( r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG ) +;q04jkcevqvmu85r014c7dkba38o0ji5r.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. ktIfH8VRjEKYPB0Qf4EdTuSlYn4DVSRRaGWc kVGmKzreEU5zs97CL8OQSa6C0JZX2yMBXijC Wu6EvgCXrflgiQ== ) + +; The wrong NSEC3 here +k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd ( kohar7mbb8dc2ce8a9qvl8hon4k53uhi ) +k8udemvp1j2f7eg6jebps17vp3n8i58h.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. IKJfInxfypsDiXKgT6HDvCPEIBu9lZCc0CWl c46+Gj/Jrg1NBkSJkKMjCERp1HT8tKU+zYp5 Kyio/cddEaa5Gg== ) + +SECTION ADDITIONAL +ai.example. A 192.0.2.9 +ai.example. RRSIG A 133 2 3600 20150420235959 20051021000000 ( 62827 example. qfXAvKr5o3Jixy5KXnVMEhABo3DDHYSR5+Ag lVxWCExWGMokdkafjW8Hb54+GrOFp/xmDoj5 BXfXAqURwLqznA== ) +ai.example. AAAA 2001:db8:0:0:0:0:f00:baa9 +ai.example. RRSIG AAAA 133 2 3600 20150420235959 ( 20051021000000 62827 example. m65zc0A16Xbx3jYb0t5vPwMzE2xS15mKh76M hSuKfiFVhBFcQ9IilEM0pXnLzt3ozrM/3X0x 2ruyuN0zC+PABA== ) +ENTRY_END + +; catch glue queries +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +ns2.example. IN A +SECTION ANSWER +; nothing to make sure the ns1 server is used for queries. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +ns2.example. IN AAAA +SECTION ANSWER +; nothing to make sure the ns1 server is used for queries. +ENTRY_END + + +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.z.w.example. IN MX +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +a.z.w.example. IN MX +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +SCENARIO_END diff --git a/testdata/val_nsec3_b5_wcnodata.rpl b/testdata/val_nsec3_b5_wcnodata.rpl new file mode 100644 index 000000000..13f52211d --- /dev/null +++ b/testdata/val_nsec3_b5_wcnodata.rpl @@ -0,0 +1,138 @@ +; config options +server: + trust-anchor: "example. DNSKEY 257 3 133 (AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX )" + val-override-date: "20120420235959" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test validator NSEC3 B.5 wildcard nodata. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +. IN A +SECTION AUTHORITY +example. IN NS ns1.example. +; leave out to make unbound take ns1 +;example. IN NS ns2.example. +SECTION ADDITIONAL +ns1.example. IN A 192.0.2.1 +; leave out to make unbound take ns1 +;ns2.example. IN A 192.0.2.2 +ENTRY_END +RANGE_END + +; ns1.example. +RANGE_BEGIN 0 100 + ADDRESS 192.0.2.1 + +; response to DNSKEY priming query + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example. IN DNSKEY +SECTION ANSWER +example. DNSKEY 256 3 133 ( AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU 5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL ExXT48OGGdbfIme5 ) +example. DNSKEY 257 3 133 ( AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX ) +example. RRSIG DNSKEY 133 1 3600 20150420235959 ( 20051021000000 22088 example. Xpo9ptByXb8M1JR1i0KuRmKGc/YeOLcc6Ptn RJOx6ADLSL2mU6AYX5tAJRMTKTXk6waLIaxu liqUBOkCjLUZMw== ) +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +a.z.w.example. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +example. SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 ) +example. RRSIG SOA 133 1 3600 20150420235959 20051021000000 ( 62827 example. hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+ rynLZNqsbLm40Q== ) + +;; NSEC3 RR that matches the closest encloser (w.example) +;; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h +k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd ( kohar7mbb8dc2ce8a9qvl8hon4k53uhi ) +k8udemvp1j2f7eg6jebps17vp3n8i58h.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. IKJfInxfypsDiXKgT6HDvCPEIBu9lZCc0CWl c46+Gj/Jrg1NBkSJkKMjCERp1HT8tKU+zYp5 Kyio/cddEaa5Gg== ) + +;; NSEC3 RR that covers the "next closer" name (z.w.example) +;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03 + +q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd ( r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG ) +q04jkcevqvmu85r014c7dkba38o0ji5r.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. ktIfH8VRjEKYPB0Qf4EdTuSlYn4DVSRRaGWc kVGmKzreEU5zs97CL8OQSa6C0JZX2yMBXijC Wu6EvgCXrflgiQ== ) + +;; NSEC3 RR that matches a wildcard at the closest encloser. +;; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en + +r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd ( t644ebqk9bibcna874givr6joj62mlhv MX RRSIG ) +r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. SzeyaiFOy9dFO1RKHAK4uVCb5GF4rNnxFMXu 6hpM44cmLcDgshlnG1CwkkcihfKOiPIBWd7I bGhsbhqrBrn5Dg== ) + +SECTION ADDITIONAL +ENTRY_END + +; catch glue queries +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +ns2.example. IN A +SECTION ANSWER +; nothing to make sure the ns1 server is used for queries. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +ns2.example. IN AAAA +SECTION ANSWER +; nothing to make sure the ns1 server is used for queries. +ENTRY_END + + +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.z.w.example. IN AAAA +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD NOERROR +SECTION QUESTION +a.z.w.example. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +example. SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 ) +SECTION ADDITIONAL +ENTRY_END + +SCENARIO_END diff --git a/testdata/val_nsec3_b5_wcnodata_noce.rpl b/testdata/val_nsec3_b5_wcnodata_noce.rpl new file mode 100644 index 000000000..e99fc1698 --- /dev/null +++ b/testdata/val_nsec3_b5_wcnodata_noce.rpl @@ -0,0 +1,137 @@ +; config options +server: + trust-anchor: "example. DNSKEY 257 3 133 (AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX )" + val-override-date: "20120420235959" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test validator NSEC3 B.5 wildcard nodata, without ce. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +. IN A +SECTION AUTHORITY +example. IN NS ns1.example. +; leave out to make unbound take ns1 +;example. IN NS ns2.example. +SECTION ADDITIONAL +ns1.example. IN A 192.0.2.1 +; leave out to make unbound take ns1 +;ns2.example. IN A 192.0.2.2 +ENTRY_END +RANGE_END + +; ns1.example. +RANGE_BEGIN 0 100 + ADDRESS 192.0.2.1 + +; response to DNSKEY priming query + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example. IN DNSKEY +SECTION ANSWER +example. DNSKEY 256 3 133 ( AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU 5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL ExXT48OGGdbfIme5 ) +example. DNSKEY 257 3 133 ( AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX ) +example. RRSIG DNSKEY 133 1 3600 20150420235959 ( 20051021000000 22088 example. Xpo9ptByXb8M1JR1i0KuRmKGc/YeOLcc6Ptn RJOx6ADLSL2mU6AYX5tAJRMTKTXk6waLIaxu liqUBOkCjLUZMw== ) +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +a.z.w.example. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +example. SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 ) +example. RRSIG SOA 133 1 3600 20150420235959 20051021000000 ( 62827 example. hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+ rynLZNqsbLm40Q== ) + +;; NSEC3 RR that matches the closest encloser (w.example) +;; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h +;k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd ( kohar7mbb8dc2ce8a9qvl8hon4k53uhi ) +;k8udemvp1j2f7eg6jebps17vp3n8i58h.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. IKJfInxfypsDiXKgT6HDvCPEIBu9lZCc0CWl c46+Gj/Jrg1NBkSJkKMjCERp1HT8tKU+zYp5 Kyio/cddEaa5Gg== ) + +;; NSEC3 RR that covers the "next closer" name (z.w.example) +;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03 + +q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd ( r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG ) +q04jkcevqvmu85r014c7dkba38o0ji5r.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. ktIfH8VRjEKYPB0Qf4EdTuSlYn4DVSRRaGWc kVGmKzreEU5zs97CL8OQSa6C0JZX2yMBXijC Wu6EvgCXrflgiQ== ) + +;; NSEC3 RR that matches a wildcard at the closest encloser. +;; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en + +r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd ( t644ebqk9bibcna874givr6joj62mlhv MX RRSIG ) +r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. SzeyaiFOy9dFO1RKHAK4uVCb5GF4rNnxFMXu 6hpM44cmLcDgshlnG1CwkkcihfKOiPIBWd7I bGhsbhqrBrn5Dg== ) + +SECTION ADDITIONAL +ENTRY_END + +; catch glue queries +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +ns2.example. IN A +SECTION ANSWER +; nothing to make sure the ns1 server is used for queries. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +ns2.example. IN AAAA +SECTION ANSWER +; nothing to make sure the ns1 server is used for queries. +ENTRY_END + + +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.z.w.example. IN AAAA +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +a.z.w.example. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +SCENARIO_END diff --git a/testdata/val_nsec3_b5_wcnodata_nonc.rpl b/testdata/val_nsec3_b5_wcnodata_nonc.rpl new file mode 100644 index 000000000..a43311764 --- /dev/null +++ b/testdata/val_nsec3_b5_wcnodata_nonc.rpl @@ -0,0 +1,137 @@ +; config options +server: + trust-anchor: "example. DNSKEY 257 3 133 (AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX )" + val-override-date: "20120420235959" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test validator NSEC3 B.5 wildcard nodata, without nc. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +. IN A +SECTION AUTHORITY +example. IN NS ns1.example. +; leave out to make unbound take ns1 +;example. IN NS ns2.example. +SECTION ADDITIONAL +ns1.example. IN A 192.0.2.1 +; leave out to make unbound take ns1 +;ns2.example. IN A 192.0.2.2 +ENTRY_END +RANGE_END + +; ns1.example. +RANGE_BEGIN 0 100 + ADDRESS 192.0.2.1 + +; response to DNSKEY priming query + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example. IN DNSKEY +SECTION ANSWER +example. DNSKEY 256 3 133 ( AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU 5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL ExXT48OGGdbfIme5 ) +example. DNSKEY 257 3 133 ( AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX ) +example. RRSIG DNSKEY 133 1 3600 20150420235959 ( 20051021000000 22088 example. Xpo9ptByXb8M1JR1i0KuRmKGc/YeOLcc6Ptn RJOx6ADLSL2mU6AYX5tAJRMTKTXk6waLIaxu liqUBOkCjLUZMw== ) +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +a.z.w.example. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +example. SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 ) +example. RRSIG SOA 133 1 3600 20150420235959 20051021000000 ( 62827 example. hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+ rynLZNqsbLm40Q== ) + +;; NSEC3 RR that matches the closest encloser (w.example) +;; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h +k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd ( kohar7mbb8dc2ce8a9qvl8hon4k53uhi ) +k8udemvp1j2f7eg6jebps17vp3n8i58h.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. IKJfInxfypsDiXKgT6HDvCPEIBu9lZCc0CWl c46+Gj/Jrg1NBkSJkKMjCERp1HT8tKU+zYp5 Kyio/cddEaa5Gg== ) + +;; NSEC3 RR that covers the "next closer" name (z.w.example) +;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03 + +;q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd ( r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG ) +;q04jkcevqvmu85r014c7dkba38o0ji5r.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. ktIfH8VRjEKYPB0Qf4EdTuSlYn4DVSRRaGWc kVGmKzreEU5zs97CL8OQSa6C0JZX2yMBXijC Wu6EvgCXrflgiQ== ) + +;; NSEC3 RR that matches a wildcard at the closest encloser. +;; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en + +r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd ( t644ebqk9bibcna874givr6joj62mlhv MX RRSIG ) +r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. SzeyaiFOy9dFO1RKHAK4uVCb5GF4rNnxFMXu 6hpM44cmLcDgshlnG1CwkkcihfKOiPIBWd7I bGhsbhqrBrn5Dg== ) + +SECTION ADDITIONAL +ENTRY_END + +; catch glue queries +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +ns2.example. IN A +SECTION ANSWER +; nothing to make sure the ns1 server is used for queries. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +ns2.example. IN AAAA +SECTION ANSWER +; nothing to make sure the ns1 server is used for queries. +ENTRY_END + + +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.z.w.example. IN AAAA +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +a.z.w.example. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +SCENARIO_END diff --git a/testdata/val_nsec3_b5_wcnodata_nowc.rpl b/testdata/val_nsec3_b5_wcnodata_nowc.rpl new file mode 100644 index 000000000..2cc21ebab --- /dev/null +++ b/testdata/val_nsec3_b5_wcnodata_nowc.rpl @@ -0,0 +1,137 @@ +; config options +server: + trust-anchor: "example. DNSKEY 257 3 133 (AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX )" + val-override-date: "20120420235959" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test validator NSEC3 B.5 wildcard nodata, without wc. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +. IN A +SECTION AUTHORITY +example. IN NS ns1.example. +; leave out to make unbound take ns1 +;example. IN NS ns2.example. +SECTION ADDITIONAL +ns1.example. IN A 192.0.2.1 +; leave out to make unbound take ns1 +;ns2.example. IN A 192.0.2.2 +ENTRY_END +RANGE_END + +; ns1.example. +RANGE_BEGIN 0 100 + ADDRESS 192.0.2.1 + +; response to DNSKEY priming query + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example. IN DNSKEY +SECTION ANSWER +example. DNSKEY 256 3 133 ( AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU 5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL ExXT48OGGdbfIme5 ) +example. DNSKEY 257 3 133 ( AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX ) +example. RRSIG DNSKEY 133 1 3600 20150420235959 ( 20051021000000 22088 example. Xpo9ptByXb8M1JR1i0KuRmKGc/YeOLcc6Ptn RJOx6ADLSL2mU6AYX5tAJRMTKTXk6waLIaxu liqUBOkCjLUZMw== ) +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +a.z.w.example. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +example. SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 ) +example. RRSIG SOA 133 1 3600 20150420235959 20051021000000 ( 62827 example. hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+ rynLZNqsbLm40Q== ) + +;; NSEC3 RR that matches the closest encloser (w.example) +;; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h +k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd ( kohar7mbb8dc2ce8a9qvl8hon4k53uhi ) +k8udemvp1j2f7eg6jebps17vp3n8i58h.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. IKJfInxfypsDiXKgT6HDvCPEIBu9lZCc0CWl c46+Gj/Jrg1NBkSJkKMjCERp1HT8tKU+zYp5 Kyio/cddEaa5Gg== ) + +;; NSEC3 RR that covers the "next closer" name (z.w.example) +;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03 + +q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd ( r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG ) +q04jkcevqvmu85r014c7dkba38o0ji5r.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. ktIfH8VRjEKYPB0Qf4EdTuSlYn4DVSRRaGWc kVGmKzreEU5zs97CL8OQSa6C0JZX2yMBXijC Wu6EvgCXrflgiQ== ) + +;; NSEC3 RR that matches a wildcard at the closest encloser. +;; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en + +;r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd ( t644ebqk9bibcna874givr6joj62mlhv MX RRSIG ) +;r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. SzeyaiFOy9dFO1RKHAK4uVCb5GF4rNnxFMXu 6hpM44cmLcDgshlnG1CwkkcihfKOiPIBWd7I bGhsbhqrBrn5Dg== ) + +SECTION ADDITIONAL +ENTRY_END + +; catch glue queries +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +ns2.example. IN A +SECTION ANSWER +; nothing to make sure the ns1 server is used for queries. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +ns2.example. IN AAAA +SECTION ANSWER +; nothing to make sure the ns1 server is used for queries. +ENTRY_END + + +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.z.w.example. IN AAAA +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +a.z.w.example. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +SCENARIO_END diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c index 64454edf4..fc857da51 100644 --- a/validator/val_nsec3.c +++ b/validator/val_nsec3.c @@ -1149,11 +1149,12 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve, return sec_status_insecure; /* iteration count too high */ /* We know what the (purported) closest encloser is by just - * looking at the supposed generating wildcard. */ + * looking at the supposed generating wildcard. + * The *. has already been removed from the wc name. + */ memset(&ce, 0, sizeof(ce)); ce.ce = wc; ce.ce_len = wclen; - dname_remove_label(&ce.ce, &ce.ce_len); /* Now we still need to prove that the original data did not exist. * Otherwise, we need to show that the next closer name is covered. */ diff --git a/validator/val_nsec3.h b/validator/val_nsec3.h index 1c55d4ff3..0b691edfb 100644 --- a/validator/val_nsec3.h +++ b/validator/val_nsec3.h @@ -161,7 +161,8 @@ nsec3_prove_nodata(struct module_env* env, struct val_env* ve, * @param num: number of RRsets in the array to examine. * @param qinfo: query that is verified for. * @param kkey: key entry that signed the NSEC3s. - * @param wc: The purported wildcard that matched. + * @param wc: The purported wildcard that matched. This is the wildcard name + * as *.wildcard.name., with the *. label already removed. * @return: * sec_status SECURE of the proposition is proven by the NSEC3 RRs, * BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored.