From dc38aacefc1245220f879221fc63468b8567aa36 Mon Sep 17 00:00:00 2001 From: Tom Carpay Date: Wed, 15 Dec 2021 11:05:45 +0000 Subject: [PATCH] expand ede.tdir to do validator test for DNSKEY, RRSIG and NSEC missing --- testdata/ede.tdir/bogus/clean.sh | 2 +- testdata/ede.tdir/bogus/dnskey-failures.test | 10 ++ testdata/ede.tdir/bogus/make-broken-zone.sh | 53 ++++++--- testdata/ede.tdir/bogus/nsec-failures.test | 10 ++ testdata/ede.tdir/bogus/rrsig-failures.test | 10 ++ testdata/ede.tdir/ede-auth.conf | 15 ++- testdata/ede.tdir/ede.conf | 16 ++- testdata/ede.tdir/ede.test | 107 ++++++++++++++----- 8 files changed, 179 insertions(+), 44 deletions(-) create mode 100644 testdata/ede.tdir/bogus/dnskey-failures.test create mode 100644 testdata/ede.tdir/bogus/nsec-failures.test create mode 100644 testdata/ede.tdir/bogus/rrsig-failures.test diff --git a/testdata/ede.tdir/bogus/clean.sh b/testdata/ede.tdir/bogus/clean.sh index b133e862a..54128f807 100755 --- a/testdata/ede.tdir/bogus/clean.sh +++ b/testdata/ede.tdir/bogus/clean.sh @@ -1 +1 @@ -rm -f K* piece1 base expired notyetincepted trust-anchors dnssec-failures.zone.signed \ No newline at end of file +rm -f K* piece1 base expired notyetincepted trust-anchors dnssec-failures.test.signed dnskey-failures.test.signed nsec-failures.test.signed rrsig-failures.test.signed diff --git a/testdata/ede.tdir/bogus/dnskey-failures.test b/testdata/ede.tdir/bogus/dnskey-failures.test new file mode 100644 index 000000000..49d6ad5a3 --- /dev/null +++ b/testdata/ede.tdir/bogus/dnskey-failures.test @@ -0,0 +1,10 @@ +$ORIGIN dnskey-failures.test. + +@ SOA ns hostmaster ( + 1 ; serial + 14400 ; refresh (4 hours) + 1800 ; retry (30 minutes) + 2419200 ; expire (4 weeks) + 300 ; minimum (5 minutes) +) + A 192.0.2.1 diff --git a/testdata/ede.tdir/bogus/make-broken-zone.sh b/testdata/ede.tdir/bogus/make-broken-zone.sh index 8298dd34d..102eba5fe 100755 --- a/testdata/ede.tdir/bogus/make-broken-zone.sh +++ b/testdata/ede.tdir/bogus/make-broken-zone.sh @@ -1,25 +1,54 @@ #!/usr/bin/env bash +# create oudated zones CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnssec-failures.test` echo $CSK echo ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" | \ - cat $CSK.ds - > bogus/trust-anchors + cat $CSK.ds - > bogus/trust-anchors ONEMONTHAGO=`date -d 'now - 1 month' +%Y%m%d` YESTERDAY=`date -d 'now - 2 days' +%Y%m%d` TOMORROW=`date -d 'now + 2 days' +%Y%m%d` ldns-signzone -i $YESTERDAY bogus/dnssec-failures.test $CSK -f - | \ - grep -v '^missingrrsigs\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \ - sed 's/Signatures invalid/Signatures INVALID/g' | \ - grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' | \ - grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \ - grep -v '^expired\.dnssec-failures\.test\..*IN.*TXT' | \ - grep -v '^expired\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' > base + grep -v '^missingrrsigs\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \ + sed 's/Signatures invalid/Signatures INVALID/g' | \ + grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' | \ + grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \ + grep -v '^expired\.dnssec-failures\.test\..*IN.*TXT' | \ + grep -v '^expired\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' > base ldns-signzone -i $ONEMONTHAGO -e $YESTERDAY bogus/dnssec-failures.test $CSK -f - | \ - grep -v '[ ]NSEC[ ]' | \ - grep '^expired\.dnssec-failures\.test\..*IN.*TXT' > expired + grep -v '[ ]NSEC[ ]' | \ + grep '^expired\.dnssec-failures\.test\..*IN.*TXT' > expired ldns-signzone -i $TOMORROW bogus/dnssec-failures.test $CSK -f - | \ - grep -v '[ ]NSEC[ ]' | \ - grep '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' > notyetincepted -cat base expired notyetincepted > bogus/dnssec-failures.test.signed && rm -f base expired notyetincepted $CSK.* + grep -v '[ ]NSEC[ ]' | \ + grep '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' > notyetincepted + +cat base expired notyetincepted > bogus/dnssec-failures.test.signed + +# create zone with DNSKEY missing +CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnskey-failures.test` +echo $CSK +cat $CSK.ds >> bogus/trust-anchors + +ldns-signzone bogus/dnskey-failures.test $CSK -f tmp.signed +grep -v ' DNSKEY ' tmp.signed > bogus/dnskey-failures.test.signed + +# create zone with NSEC missing +CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom nsec-failures.test` +echo $CSK +cat $CSK.ds >> bogus/trust-anchors + +ldns-signzone bogus/nsec-failures.test $CSK -f tmp.signed +grep -v ' NSEC ' tmp.signed > bogus/nsec-failures.test.signed + +# create zone with RRSIGs missing +CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom rrsig-failures.test` +echo $CSK +cat $CSK.ds >> bogus/trust-anchors + +ldns-signzone bogus/rrsig-failures.test $CSK -f tmp.signed +grep -v ' RRSIG ' tmp.signed > bogus/rrsig-failures.test.signed + +# cleanup +rm -f base expired notyetincepted tmp.signed $CSK.* diff --git a/testdata/ede.tdir/bogus/nsec-failures.test b/testdata/ede.tdir/bogus/nsec-failures.test new file mode 100644 index 000000000..529298df6 --- /dev/null +++ b/testdata/ede.tdir/bogus/nsec-failures.test @@ -0,0 +1,10 @@ +$ORIGIN nsec-failures.test. + +@ SOA ns hostmaster ( + 1 ; serial + 14400 ; refresh (4 hours) + 1800 ; retry (30 minutes) + 2419200 ; expire (4 weeks) + 300 ; minimum (5 minutes) +) + A 192.0.2.1 diff --git a/testdata/ede.tdir/bogus/rrsig-failures.test b/testdata/ede.tdir/bogus/rrsig-failures.test new file mode 100644 index 000000000..cab0b7f48 --- /dev/null +++ b/testdata/ede.tdir/bogus/rrsig-failures.test @@ -0,0 +1,10 @@ +$ORIGIN rrsig-failures.test. + +@ SOA ns hostmaster ( + 1 ; serial + 14400 ; refresh (4 hours) + 1800 ; retry (30 minutes) + 2419200 ; expire (4 weeks) + 300 ; minimum (5 minutes) +) + A 192.0.2.1 diff --git a/testdata/ede.tdir/ede-auth.conf b/testdata/ede.tdir/ede-auth.conf index 792f5b46b..6620cfc9c 100644 --- a/testdata/ede.tdir/ede-auth.conf +++ b/testdata/ede.tdir/ede-auth.conf @@ -9,4 +9,17 @@ server: auth-zone: name: "dnssec-failures.test" - zonefile: "bogus/dnssec-failures.test.signed" \ No newline at end of file + zonefile: "bogus/dnssec-failures.test.signed" + +auth-zone: + name: "dnskey-failures.test" + zonefile: "bogus/dnskey-failures.test.signed" + +auth-zone: + name: "nsec-failures.test" + zonefile: "bogus/nsec-failures.test.signed" + +auth-zone: + name: "rrsig-failures.test" + zonefile: "bogus/rrsig-failures.test.signed" + diff --git a/testdata/ede.tdir/ede.conf b/testdata/ede.tdir/ede.conf index 1bf3cb7cd..84bf6c3ee 100644 --- a/testdata/ede.tdir/ede.conf +++ b/testdata/ede.tdir/ede.conf @@ -8,6 +8,7 @@ server: chroot: "" username: "" directory: "" + val-log-level: 2 # @TODO change this to local file #auto-trust-anchor-file: "/var/lib/unbound/root.key" @@ -36,4 +37,17 @@ server: forward-zone: name: "dnssec-failures.test" - forward-addr: 127.0.0.1@@PORT2@ \ No newline at end of file + forward-addr: 127.0.0.1@@PORT2@ + +forward-zone: + name: "dnskey-failures.test" + forward-addr: 127.0.0.1@@PORT2@ + +forward-zone: + name: "nsec-failures.test" + forward-addr: 127.0.0.1@@PORT2@ + +forward-zone: + name: "rrsig-failures.test" + forward-addr: 127.0.0.1@@PORT2@ + diff --git a/testdata/ede.tdir/ede.test b/testdata/ede.tdir/ede.test index 1474ae8c4..dac5793d1 100644 --- a/testdata/ede.tdir/ede.test +++ b/testdata/ede.tdir/ede.test @@ -30,7 +30,7 @@ $PRE/unbound -d -c ub2.conf > unbound.log 2>&1 & UNBOUND_PID2=$! echo "UNBOUND_PID2=$UNBOUND_PID2" >> .tpkg.var.test -# @TODO did we fix this? +# @TODO did we fix this? -> we do not trigger this anymore # # query with bad edns keepalive # dig @127.0.0.1 -p $UNBOUND_PORT +tcp +ednsopt=11:010203 > keepalive.txt # @@ -46,15 +46,17 @@ dig @127.0.0.1 -p $UNBOUND_PORT +norec > snoop.txt if ! grep -q "OPT=15: 00 14" snoop.txt then echo "Incorect cache snoop output" + cat snoop.txt exit 1 fi -# @TODO dnssec bogus local zones something -dig @127.0.0.1 -p $UNBOUND_PORT qwerqwer.hopsa.kidee. TXT +dnssec > bogus.txt +# local-zone always_refuse +dig @127.0.0.1 -p $UNBOUND_PORT qwerqwer.hopsa.kidee. TXT +dnssec > local_zone_refuse.txt -if ! grep -q "OPT=15: 00 0f" bogus.txt +if ! grep -q "OPT=15: 00 0f" local_zone_refuse.txt then - echo "Incorect DNSSEC local zone output" + echo "query to qwerqwer.hopsa.kidee. should be EDE blocked" + cat local_zone_refuse.txt exit 1 fi @@ -69,50 +71,59 @@ dig @127.0.0.1 -p $UNBOUND_PORT www.qhqwer.qwer.qwer.h.example.com A > dname_exp if ! grep -q "OPT=15: 00 00 44 4e 41 4d 45 20 65 78 70 61 6e 73 69 6f 6e 20 62 65 63 61 6d 65 20 74 6f 6f 20 6c 61 72 67 65" dname_expansion.txt then echo "No DNAME expansion for CNAME EDE message" + cat dname_expansion.txt exit 1 fi -# RPZ always_null gets EDE forged -dig @127.0.0.1 -p $UNBOUND_PORT uva.nl A > always_null_forged.txt +# local-zone always_null gets EDE forged +dig @127.0.0.1 -p $UNBOUND_PORT uva.nl A > local_zone_always_null_forged.txt -if ! grep -q "OPT=15: 00 04" always_null_forged.txt +if ! grep -q "OPT=15: 00 04" local_zone_always_null_forged.txt then echo "local-zone always_null must have EDE forged code" + cat local_zone_always_null_forged.txt exit 1 fi # RPZ always_refuse -dig @127.0.0.1 -p $UNBOUND_PORT hopsa.kidee. A > always_refuse.txt +dig @127.0.0.1 -p $UNBOUND_PORT hopsa.kidee. A > local_zone_rpz_always_refuse.txt -if ! grep -q "OPT=15: 00 0f" always_refuse.txt +if ! grep -q "OPT=15: 00 0f" local_zone_rpz_always_refuse.txt then echo "local-zone always_refuse must have EDE blocked code" + cat local_zone_rpz_always_refuse.txt exit 1 fi -# @TODO what does this trigger? -> ede blocked, same as bogus.txt? -dig @127.0.0.1 -p $UNBOUND_PORT hopsa.kidee. A - # @TODO trigger mesh DNSSEC bogus + + dig @127.0.0.1 -p $UNBOUND_PORT servfail.nl > servfail.txt -if ! grep -q "OPT=15: 00 06" servfail.txt +if ! grep -q "OPT=15: 00 07" servfail.txt then - echo "query to servfail.nl should return EDE DNSSEC bogus" + echo "query to servfail.nl should return EDE signature expired" + cat servfail.txt exit 1 fi # local data forged answer -#dig @127.0.0.1 -p $UNBOUND_PORT hopsa.nlnetlabs.nl TXT +dig @127.0.0.1 -p $UNBOUND_PORT hopsa.nlnetlabs.nl TXT > local_data_forged.txt -#@TODO write actual test +if ! grep -q "OPT=15: 00 04" local_data_forged.txt +then + echo "query to hopsa.nlnetlabs.nl does not give EDE forged" + cat local_data_forged.txt + exit 1 +fi # ACL refused, EDE prohibited -dig @127.0.0.1 -p $UNBOUND_PORT -b 127.0.0.2 example.com > refused.txt +dig @127.0.0.1 -p $UNBOUND_PORT -b 127.0.0.2 example.com > acl_refused.txt -if ! grep -q "OPT=15: 00 12" refused.txt +if ! grep -q "OPT=15: 00 12" acl_refused.txt then echo "ACL refused does not give EDE prohibited" + cat acl_refused.txt exit 1 fi @@ -123,32 +134,70 @@ UNBOUND_PID2=$! echo "UNBOUND_PID2=$UNBOUND_PID2" >> .tpkg.var.test # DNSSEC failure: key not incepted -dig @127.0.0.1 -p $UNBOUND_PORT notyetincepted.dnssec-failures.test. TXT +dnssec > notyetincepted.txt +dig @127.0.0.1 -p $UNBOUND_PORT notyetincepted.dnssec-failures.test. TXT +dnssec > sig_notyetincepted.txt -if ! grep -q "OPT=15: 00 08" notyetincepted.txt +if ! grep -q "OPT=15: 00 08" sig_notyetincepted.txt then echo "Signature not yet valid does not return EDE Signature Not Yet Valid" + cat sig_notyetincepted.txt exit 1 fi -dig @127.0.0.1 -p $UNBOUND_PORT expired.dnssec-failures.test. TXT +dnssec > expired.txt +# DNSSEC failure: key expired +dig @127.0.0.1 -p $UNBOUND_PORT expired.dnssec-failures.test. TXT +dnssec > sig_expired.txt -if ! grep -q "OPT=15: 00 07" expired.txt +if ! grep -q "OPT=15: 00 07" sig_expired.txt then echo "Expired signature does not return EDE Signature expired" + cat sig_expired.txt exit 1 fi -# DNSSEC indeterminate +# DNSSEC failure: missing rrsigs +dig @127.0.0.1 -p $UNBOUND_PORT missingrrsigs.dnssec-failures.test. TXT +dnssec > missingrrsigs.txt + +if ! grep -q "OPT=15: 00 0a" missingrrsigs.txt +then + echo "Expired signature does not return EDE RRSIGs missing" + cat missingrrsigs.txt + exit 1 +fi + +# signed zone with DNSKEY missing +dig @127.0.0.1 -p $UNBOUND_PORT dnskey-failures.test > dnskey-failure.txt + +if ! grep -q "OPT=15: 00 09" dnskey-failure.txt +then + echo "Expired signature does not return EDE DNSKEY missing" + cat dnskey-failure.txt + exit 1 +fi + +# signed zone with RRSIGs missing +dig @127.0.0.1 -p $UNBOUND_PORT rrsig-failures.test > rrsig-failure.txt + +if ! grep -q "OPT=15: 00 0a" rrsig-failure.txt +then + echo "Expired signature does not return EDE RRSIGs missing" + cat rrsig-failure.txt + exit 1 +fi + +# signed zone with NSEC missing +dig @127.0.0.1 -p $UNBOUND_PORT nsec-failures.test > nsec-failure.txt + +if ! grep -q "OPT=15: 00 0c" nsec-failure.txt +then + echo "Expired signature does not return EDE NSEC missing" + cat nsec-failure.txt + exit 1 +fi -# ZONE KEY TOEVOEGEN AAN UNBOUND -# SIGNEN MET LDNS SIGNER -# MAKE ZONE RECORD WITH EXPIRED AND NOT INCEPTED RECORD -# zone aanmaken met auth-zone op een tweede unbound +# @TODO DNSSEC indeterminate # teardown kill_pid $UNBOUND_PID -kill_pid $UNBOUND_PID2 \ No newline at end of file +kill_pid $UNBOUND_PID2 -- 2.47.2