From: TCY16 <tom@nlnetlabs.nl>
Date: Mon, 18 Oct 2021 14:45:42 +0000 (+0200)
Subject: add dnssec ede tests
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df984d9c6ff0f8a5e749561fec0135214ea2079a;p=thirdparty%2Funbound.git

add dnssec ede tests
---

diff --git a/testdata/ede.tdir/bogus/make-broken-zone.sh b/testdata/ede.tdir/bogus/make-broken-zone.sh
index efc230da4..8298dd34d 100755
--- a/testdata/ede.tdir/bogus/make-broken-zone.sh
+++ b/testdata/ede.tdir/bogus/make-broken-zone.sh
@@ -4,22 +4,22 @@ CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnssec-failures.test`
 echo $CSK
 
 echo ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" | \
-        cat $CSK.ds - > trust-anchors
+        cat $CSK.ds - > bogus/trust-anchors
 
 ONEMONTHAGO=`date -d 'now - 1 month' +%Y%m%d`
 YESTERDAY=`date -d 'now - 2 days' +%Y%m%d`
 TOMORROW=`date -d 'now + 2 days' +%Y%m%d`
-ldns-signzone -i $YESTERDAY dnssec-failures.test $CSK -f - | \
+ldns-signzone -i $YESTERDAY bogus/dnssec-failures.test $CSK -f - | \
         grep -v '^missingrrsigs\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
         sed 's/Signatures invalid/Signatures INVALID/g' | \
         grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' | \
         grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
         grep -v '^expired\.dnssec-failures\.test\..*IN.*TXT' | \
         grep -v '^expired\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' > base
-ldns-signzone -i $ONEMONTHAGO -e $YESTERDAY dnssec-failures.test $CSK -f - | \
+ldns-signzone -i $ONEMONTHAGO -e $YESTERDAY bogus/dnssec-failures.test $CSK -f - | \
         grep -v '[      ]NSEC[  ]' | \
         grep '^expired\.dnssec-failures\.test\..*IN.*TXT' > expired
-ldns-signzone -i $TOMORROW dnssec-failures.test $CSK -f - | \
+ldns-signzone -i $TOMORROW bogus/dnssec-failures.test $CSK -f - | \
         grep -v '[      ]NSEC[  ]' | \
         grep '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' > notyetincepted
-cat base expired notyetincepted > dnssec-failures.test.signed && rm -f base expired notyetincepted $CSK.*
+cat base expired notyetincepted > bogus/dnssec-failures.test.signed && rm -f base expired notyetincepted $CSK.*
diff --git a/testdata/ede.tdir/ede-auth.conf b/testdata/ede.tdir/ede-auth.conf
index 1d7e9a181..792f5b46b 100644
--- a/testdata/ede.tdir/ede-auth.conf
+++ b/testdata/ede.tdir/ede-auth.conf
@@ -5,8 +5,8 @@ server:
         username: ""
         directory: ""
         local-zone: test nodefault
-        port: 53535
+        port: @PORT2@
 
 auth-zone:
         name: "dnssec-failures.test"
-        zonefile: "testdata/ede.tdir/bogus/dnssec-failures.test.signed"
\ No newline at end of file
+        zonefile: "bogus/dnssec-failures.test.signed"
\ No newline at end of file
diff --git a/testdata/ede.tdir/ede.conf b/testdata/ede.tdir/ede.conf
index 8f02a3c1e..309e79a93 100644
--- a/testdata/ede.tdir/ede.conf
+++ b/testdata/ede.tdir/ede.conf
@@ -11,7 +11,7 @@ server:
 
 	# @TODO change this to local file
 	#auto-trust-anchor-file: "/var/lib/unbound/root.key"
-	trust-anchor-file: "testdata/ede.tdir/bogus/trust-anchors"
+	trust-anchor-file: "bogus/trust-anchors"
 
 	module-config: "respip validator iterator"
 
@@ -20,10 +20,10 @@ server:
 	local-zone: hopsa.kidee. always_refuse
 	local-data: "hopsa.kidee. TXT hela hola"
 
-	localzone: nlnetlabs.nl transparant
+	local-zone: nlnetlabs.nl transparent
 	local-data: "hopsa.nlnetlabs.nl. TXT hela hola"
 
- 	local-zone: uva.nl. always_null
+	local-zone: uva.nl. always_null
 
 	local-zone: example.com redirect
 	local-data: "example.com CNAME *.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa."
@@ -32,5 +32,5 @@ server:
 	do-not-query-localhost: no
 
 forward-zone:
-        name: "dnssec-failures.test"
-        forward-addr: 127.0.0.1@@PORT2@
\ No newline at end of file
+	name: "dnssec-failures.test"
+	forward-addr: 127.0.0.1@@PORT2@
\ No newline at end of file
diff --git a/testdata/ede.tdir/ede.test b/testdata/ede.tdir/ede.test
index 2c05ac449..5823dc68a 100644
--- a/testdata/ede.tdir/ede.test
+++ b/testdata/ede.tdir/ede.test
@@ -12,15 +12,25 @@ echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
 echo "UNBOUND_PORT2=$UNBOUND_PORT2" >> .tpkg.var.test
 
 # rewrite config file with created ports
-sed -e 's/@PORT\@/'$UNBOUND_PORT'/g; s/@PORT2\@/'$UNBOUND_PORT2'/g' < ede.conf > ub.conf
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' < ede.conf > temp.conf
+sed -e 's/@PORT2\@/'$UNBOUND_PORT2'/' < temp.conf > ub.conf
 sed -e 's/@PORT2\@/'$UNBOUND_PORT2'/' < ede-auth.conf > ub2.conf
 
+# create broken dnssec zone
+bogus/make-broken-zone.sh
+
 # start unbound in the background
 PRE="../.."
 $PRE/unbound -d -c ub.conf > unbound.log 2>&1 &
 UNBOUND_PID=$!
 echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
 
+# start authoritative unbound in the background
+$PRE/unbound -d -c ub2.conf > unbound.log 2>&1 &
+UNBOUND_PID2=$!
+echo "UNBOUND_PID2=$UNBOUND_PID2" >> .tpkg.var.test
+
+
 # query with bad edns keepalive
 dig @127.0.0.1 -p $UNBOUND_PORT +tcp +ednsopt=11:010203 > keepalive.txt
 
@@ -74,14 +84,14 @@ fi
 # RPZ always_refuse
 dig @127.0.0.1 -p $UNBOUND_PORT hopsa.kidee. A > always_refuse.txt
 
-if ! grep -q "OPT=15: 00 04" always_refuse.txt
+if ! grep -q "OPT=15: 00 0f" always_refuse.txt
 then
-	echo "local-zone always_null must have EDE blocked code"
+	echo "local-zone always_refuse must have EDE blocked code"
 	exit 1
 fi
 
-# @TODO what does this trigger?
-dig @localhost hopsa.kidee. A
+# @TODO what does this trigger? -> ede blocked
+dig @127.0.0.1 -p $UNBOUND_PORT hopsa.kidee. A
 
 # @TODO trigger mesh DNSSEC bogus
 dig @127.0.0.1 -p $UNBOUND_PORT servfail.nl > servfail.txt
@@ -93,7 +103,7 @@ then
 fi
 
 # local data forged answer
-dig @127.0.0.1 -p $UNBOUND_PORT hopsa.nlnetlabs.nl TXT
+#dig @127.0.0.1 -p $UNBOUND_PORT hopsa.nlnetlabs.nl TXT
 
 #@TODO write actual test