From: TCY16 <tom@nlnetlabs.nl>
Date: Wed, 13 Oct 2021 09:17:42 +0000 (+0200)
Subject: add test setup for DNSSEC EDEs
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d2a719f606ae7bab4c6c5e80bd60e48d3700e9ec;p=thirdparty%2Funbound.git

add test setup for DNSSEC EDEs
---

diff --git a/testdata/ede.tdir/bogus/clean.sh b/testdata/ede.tdir/bogus/clean.sh
new file mode 100755
index 000000000..b133e862a
--- /dev/null
+++ b/testdata/ede.tdir/bogus/clean.sh
@@ -0,0 +1 @@
+rm -f K* piece1 base expired notyetincepted trust-anchors dnssec-failures.zone.signed
\ No newline at end of file
diff --git a/testdata/ede.tdir/bogus/dnssec-failures.test b/testdata/ede.tdir/bogus/dnssec-failures.test
new file mode 100644
index 000000000..5af5941c0
--- /dev/null
+++ b/testdata/ede.tdir/bogus/dnssec-failures.test
@@ -0,0 +1,15 @@
+$ORIGIN dnssec-failures.test.
+
+@       SOA     ns      hostmaster      (
+                1       ; serial
+                14400   ; refresh (4 hours)
+                1800    ; retry (30 minutes)
+                2419200 ; expire (4 weeks)
+                300     ; minimum (5 minutes)
+)
+        NS      ns
+ns      A       192.0.2.1
+notyetincepted  TXT     "Not yet incepted"
+expired         TXT     "Expired"
+sigsinvalid     TXT     "Signatures invalid"
+missingrrsigs   TXT     "Signatures missing"
\ No newline at end of file
diff --git a/testdata/ede.tdir/bogus/make-broken-zone.sh b/testdata/ede.tdir/bogus/make-broken-zone.sh
new file mode 100755
index 000000000..efc230da4
--- /dev/null
+++ b/testdata/ede.tdir/bogus/make-broken-zone.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnssec-failures.test`
+echo $CSK
+
+echo ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" | \
+        cat $CSK.ds - > trust-anchors
+
+ONEMONTHAGO=`date -d 'now - 1 month' +%Y%m%d`
+YESTERDAY=`date -d 'now - 2 days' +%Y%m%d`
+TOMORROW=`date -d 'now + 2 days' +%Y%m%d`
+ldns-signzone -i $YESTERDAY dnssec-failures.test $CSK -f - | \
+        grep -v '^missingrrsigs\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
+        sed 's/Signatures invalid/Signatures INVALID/g' | \
+        grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' | \
+        grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
+        grep -v '^expired\.dnssec-failures\.test\..*IN.*TXT' | \
+        grep -v '^expired\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' > base
+ldns-signzone -i $ONEMONTHAGO -e $YESTERDAY dnssec-failures.test $CSK -f - | \
+        grep -v '[      ]NSEC[  ]' | \
+        grep '^expired\.dnssec-failures\.test\..*IN.*TXT' > expired
+ldns-signzone -i $TOMORROW dnssec-failures.test $CSK -f - | \
+        grep -v '[      ]NSEC[  ]' | \
+        grep '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' > notyetincepted
+cat base expired notyetincepted > dnssec-failures.test.signed && rm -f base expired notyetincepted $CSK.*
diff --git a/testdata/ede.tdir/ede-auth.conf b/testdata/ede.tdir/ede-auth.conf
new file mode 100644
index 000000000..1d7e9a181
--- /dev/null
+++ b/testdata/ede.tdir/ede-auth.conf
@@ -0,0 +1,12 @@
+server:
+        verbosity: 1
+        use-syslog: no
+        chroot: ""
+        username: ""
+        directory: ""
+        local-zone: test nodefault
+        port: 53535
+
+auth-zone:
+        name: "dnssec-failures.test"
+        zonefile: "testdata/ede.tdir/bogus/dnssec-failures.test.signed"
\ No newline at end of file
diff --git a/testdata/ede.tdir/ede.conf b/testdata/ede.tdir/ede.conf
index b8739071b..8f02a3c1e 100644
--- a/testdata/ede.tdir/ede.conf
+++ b/testdata/ede.tdir/ede.conf
@@ -7,9 +7,11 @@ server:
 	pidfile: "unbound.pid"
 	chroot: ""
 	username: ""
+	directory: ""
 
 	# @TODO change this to local file
-	auto-trust-anchor-file: "/var/lib/unbound/root.key"
+	#auto-trust-anchor-file: "/var/lib/unbound/root.key"
+	trust-anchor-file: "testdata/ede.tdir/bogus/trust-anchors"
 
 	module-config: "respip validator iterator"
 
@@ -21,7 +23,14 @@ server:
 	localzone: nlnetlabs.nl transparant
 	local-data: "hopsa.nlnetlabs.nl. TXT hela hola"
 
-	local-zone: uva.nl. always_null
+ 	local-zone: uva.nl. always_null
 
 	local-zone: example.com redirect
-	local-data: "example.com CNAME *.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa."
\ No newline at end of file
+	local-data: "example.com CNAME *.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa."
+
+	local-zone: test nodefault
+	do-not-query-localhost: no
+
+forward-zone:
+        name: "dnssec-failures.test"
+        forward-addr: 127.0.0.1@@PORT2@
\ No newline at end of file
diff --git a/testdata/ede.tdir/ede.test b/testdata/ede.tdir/ede.test
index fc5a781ee..2c05ac449 100644
--- a/testdata/ede.tdir/ede.test
+++ b/testdata/ede.tdir/ede.test
@@ -9,10 +9,10 @@ get_random_port 2
 UNBOUND_PORT=$RND_PORT
 UNBOUND_PORT2=$(($RND_PORT + 1))
 echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
-echo "UNBOUND_PORT=2=$UNBOUND_PORT2" >> .tpkg.var.test
+echo "UNBOUND_PORT2=$UNBOUND_PORT2" >> .tpkg.var.test
 
 # rewrite config file with created ports
-sed -e 's/@PORT\@/'$UNBOUND_PORT'/' < ede.conf > ub.conf
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/g; s/@PORT2\@/'$UNBOUND_PORT2'/g' < ede.conf > ub.conf
 sed -e 's/@PORT2\@/'$UNBOUND_PORT2'/' < ede-auth.conf > ub2.conf
 
 # start unbound in the background
@@ -21,12 +21,6 @@ $PRE/unbound -d -c ub.conf > unbound.log 2>&1 &
 UNBOUND_PID=$!
 echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
 
-# start "authoritative unbound" in the background
-$PRE/unbound -d -c ub.conf > unbound.log 2>&1 &
-UNBOUND_PID2=$!
-echo "UNBOUND_PID2=$UNBOUND_PID2" >> .tpkg.var.test
-
-
 # query with bad edns keepalive
 dig @127.0.0.1 -p $UNBOUND_PORT +tcp +ednsopt=11:010203 > keepalive.txt
 
@@ -101,8 +95,10 @@ fi
 # local data forged answer
 dig @127.0.0.1 -p $UNBOUND_PORT hopsa.nlnetlabs.nl TXT
 
+#@TODO write actual test
+
 # ACL refused, EDE prohibited
-dig @127.0.0.1 -b 127.0.0.2 example.com > refused.txt
+dig @127.0.0.1 -p $UNBOUND_PORT -b 127.0.0.2 example.com > refused.txt
 
 if ! grep -q "OPT=15: 00 12" refused.txt
 then
@@ -111,6 +107,27 @@ then
 fi
 
 
+# start authoritative unbound in the background
+$PRE/unbound -d -c ub.conf > unbound.log 2>&1 &
+UNBOUND_PID2=$!
+echo "UNBOUND_PID2=$UNBOUND_PID2" >> .tpkg.var.test
+
+# DNSSEC failure: key not incepted
+dig @127.0.0.1 -p $UNBOUND_PORT notyetincepted.dnssec-failures.test. TXT +dnssec > notyetincepted.txt
+
+if ! grep -q "OPT=15: 00 08" notyetincepted.txt
+then
+	echo "Signature not yet valid does not return EDE Signature Not Yet Valid"
+	exit 1
+fi
+
+dig @127.0.0.1 -p $UNBOUND_PORT expired.dnssec-failures.test. TXT +dnssec > expired.txt
+
+if ! grep -q "OPT=15: 00 07" expired.txt
+then
+	echo "Expired signature does not return EDE Signature expired"
+	exit 1
+fi
 
 # DNSSEC indeterminate