From 46419ee37ac0d4f086ecbf48a9e374fb4bb024c3 Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Thu, 28 Apr 2016 14:30:32 +0200 Subject: [PATCH] Add 2 tests with subtrees inside a secure zone To test if the recursor actually validates RRSIGs with a signer name that is not directly a parent of the name to validate. i.e. validates signer name = 'domain.example' and record owner name = 'some.sub.domain.example' --- regression-tests.recursor-dnssec/basicDNSSEC.py | 14 ++++++++++++++ regression-tests.recursor-dnssec/recursortests.py | 2 ++ 2 files changed, 16 insertions(+) diff --git a/regression-tests.recursor-dnssec/basicDNSSEC.py b/regression-tests.recursor-dnssec/basicDNSSEC.py index b8b835a4ad..b58ecc8da7 100644 --- a/regression-tests.recursor-dnssec/basicDNSSEC.py +++ b/regression-tests.recursor-dnssec/basicDNSSEC.py @@ -67,3 +67,17 @@ class BasicDNSSEC(RecursorTest): self.assertRcodeEqual(res, dns.rcode.NOERROR) self.assertNoRRSIGsInAnswer(res) + + def testSecureSubtreeInZoneAnswer(self): + res = self.sendQuery('host1.sub.secure.example.', 'A') + expected = dns.rrset.from_text('host1.sub.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.11') + + self.assertRcodeEqual(res, dns.rcode.NOERROR) + self.assertMatchingRRSIGInAnswer(res, expected) + self.assertMessageIsAuthenticated(res) + + def testSecureSubtreeInZoneNXDOMAIN(self): + res = self.sendQuery('host2.sub.secure.example.', 'A') + + self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) + self.assertMessageIsAuthenticated(res) diff --git a/regression-tests.recursor-dnssec/recursortests.py b/regression-tests.recursor-dnssec/recursortests.py index 493e5b330f..8875190555 100644 --- a/regression-tests.recursor-dnssec/recursortests.py +++ b/regression-tests.recursor-dnssec/recursortests.py @@ -96,6 +96,8 @@ secure.example. 3600 IN NS ns.secure.example. ns.secure.example. 3600 IN A {prefix}.9 host1.secure.example. 3600 IN A 192.0.2.2 + +host1.sub.secure.example. 3600 IN A 192.0.2.11 """, 'bogus.example': """ bogus.example. 3600 IN SOA {soa} -- 2.47.2