plugin/dnssec/black_lies_test.go

package dnssec

import (
	"testing"
	"time"

	"github.com/coredns/coredns/plugin/test"
	"github.com/coredns/coredns/request"

	"github.com/miekg/dns"
)

func TestZoneSigningBlackLies(t *testing.T) {
	d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
	defer rm1()
	defer rm2()

	m := testNxdomainMsg()
	state := request.Request{Req: m, Zone: "miek.nl."}
	m = d.Sign(state, time.Now().UTC(), server)
	if !section(m.Ns, 2) {
		t.Errorf("Authority section should have 2 sigs")
	}
	var nsec *dns.NSEC
	for _, r := range m.Ns {
		if r.Header().Rrtype == dns.TypeNSEC {
			nsec = r.(*dns.NSEC)
		}
	}
	if m.Rcode != dns.RcodeSuccess {
		t.Errorf("Expected rcode %d, got %d", dns.RcodeSuccess, m.Rcode)
	}
	if nsec == nil {
		t.Fatalf("Expected NSEC, got none")
	}
	if nsec.Hdr.Name != "ww.miek.nl." {
		t.Errorf("Expected %s, got %s", "ww.miek.nl.", nsec.Hdr.Name)
	}
	if nsec.NextDomain != "\\000.ww.miek.nl." {
		t.Errorf("Expected %s, got %s", "\\000.ww.miek.nl.", nsec.NextDomain)
	}
}

func TestBlackLiesNoError(t *testing.T) {
	d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
	defer rm1()
	defer rm2()

	m := testSuccessMsg()
	state := request.Request{Req: m, Zone: "miek.nl."}
	m = d.Sign(state, time.Now().UTC(), server)

	if m.Rcode != dns.RcodeSuccess {
		t.Errorf("Expected rcode %d, got %d", dns.RcodeSuccess, m.Rcode)
	}

	if len(m.Answer) != 2 {
		t.Errorf("Answer section should have 2 RRs")
	}
	sig, txt := false, false
	for _, rr := range m.Answer {
		if _, ok := rr.(*dns.RRSIG); ok {
			sig = true
		}
		if _, ok := rr.(*dns.TXT); ok {
			txt = true
		}
	}
	if !sig || !txt {
		t.Errorf("Expected RRSIG and TXT in answer section")
	}
}

func TestBlackLiesApexNsec(t *testing.T) {
	d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
	defer rm1()
	defer rm2()

	m := testNsecMsg()
	m.SetQuestion("miek.nl.", dns.TypeNSEC)
	state := request.Request{Req: m, Zone: "miek.nl."}
	m = d.Sign(state, time.Now().UTC(), server)
	if len(m.Ns) > 0 {
		t.Error("Authority section should be empty")
	}
	if len(m.Answer) != 2 {
		t.Errorf("Answer section should have 2 RRs")
	}
	sig, nsec := false, false
	for _, rr := range m.Answer {
		if _, ok := rr.(*dns.RRSIG); ok {
			sig = true
		}
		if rnsec, ok := rr.(*dns.NSEC); ok {
			nsec = true
			var bitpresent uint
			for _, typeBit := range rnsec.TypeBitMap {
				switch typeBit {
				case dns.TypeSOA:
					bitpresent |= 4
				case dns.TypeNSEC:
					bitpresent |= 1
				case dns.TypeRRSIG:
					bitpresent |= 2
				}
			}
			if bitpresent != 7 {
				t.Error("NSEC must have SOA, RRSIG and NSEC in its bitmap")
			}
		}
	}
	if !sig || !nsec {
		t.Errorf("Expected RRSIG and NSEC in answer section")
	}
}

func TestBlackLiesNsec(t *testing.T) {
	d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
	defer rm1()
	defer rm2()

	m := testNsecMsg()
	m.SetQuestion("www.miek.nl.", dns.TypeNSEC)
	state := request.Request{Req: m, Zone: "miek.nl."}
	m = d.Sign(state, time.Now().UTC(), server)
	if len(m.Ns) > 0 {
		t.Error("Authority section should be empty")
	}
	if len(m.Answer) != 2 {
		t.Errorf("Answer section should have 2 RRs")
	}
	sig, nsec := false, false
	for _, rr := range m.Answer {
		if _, ok := rr.(*dns.RRSIG); ok {
			sig = true
		}
		if rnsec, ok := rr.(*dns.NSEC); ok {
			nsec = true
			var bitpresent uint
			for _, typeBit := range rnsec.TypeBitMap {
				switch typeBit {
				case dns.TypeNSEC:
					bitpresent |= 1
				case dns.TypeRRSIG:
					bitpresent |= 2
				}
			}
			if bitpresent != 3 {
				t.Error("NSEC must have RRSIG and NSEC in its bitmap")
			}
		}
	}
	if !sig || !nsec {
		t.Errorf("Expected RRSIG and NSEC in answer section")
	}
}

func TestBlackLiesApexDS(t *testing.T) {
	d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
	defer rm1()
	defer rm2()

	m := testApexDSMsg()
	m.SetQuestion("miek.nl.", dns.TypeDS)
	state := request.Request{Req: m, Zone: "miek.nl."}
	m = d.Sign(state, time.Now().UTC(), server)
	if !section(m.Ns, 2) {
		t.Errorf("Authority section should have 2 sigs")
	}
	var nsec *dns.NSEC
	for _, r := range m.Ns {
		if r.Header().Rrtype == dns.TypeNSEC {
			nsec = r.(*dns.NSEC)
		}
	}
	if nsec == nil {
		t.Error("Expected NSEC, got none")
	} else if correctNsecForDS(nsec) {
		t.Error("NSEC DS at the apex zone should cover all apex type.")
	}
}

func TestBlackLiesDS(t *testing.T) {
	d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
	defer rm1()
	defer rm2()

	m := testApexDSMsg()
	m.SetQuestion("sub.miek.nl.", dns.TypeDS)
	state := request.Request{Req: m, Zone: "miek.nl."}
	m = d.Sign(state, time.Now().UTC(), server)
	if !section(m.Ns, 2) {
		t.Errorf("Authority section should have 2 sigs")
	}
	var nsec *dns.NSEC
	for _, r := range m.Ns {
		if r.Header().Rrtype == dns.TypeNSEC {
			nsec = r.(*dns.NSEC)
		}
	}
	if nsec == nil {
		t.Error("Expected NSEC, got none")
	} else if !correctNsecForDS(nsec) {
		t.Error("NSEC DS should cover delegation type only.")
	}
}

func correctNsecForDS(nsec *dns.NSEC) bool {
	var bitmask uint
	/* Coherent TypeBitMap for NSEC of DS should contain at least:
	 * {TypeNS, TypeNSEC, TypeRRSIG} and no SOA.
	 * Any missing type will confuse resolver because
	 * it will prove that the dns query cannot be a delegation point,
	 * which will break trust resolution for unsigned delegated domain.
	 * No SOA is obvious for none apex query.
	 */
	for _, typeBitmask := range nsec.TypeBitMap {
		switch typeBitmask {
		case dns.TypeNS:
			bitmask |= 1
		case dns.TypeNSEC:
			bitmask |= 2
		case dns.TypeRRSIG:
			bitmask |= 4
		case dns.TypeSOA:
			return false
		}
	}
	return bitmask == 7
}

func testNxdomainMsg() *dns.Msg {
	return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},
		Question: []dns.Question{{Name: "ww.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeTXT}},
		Ns:       []dns.RR{test.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},
	}
}

func testSuccessMsg() *dns.Msg {
	return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeSuccess},
		Question: []dns.Question{{Name: "www.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeTXT}},
		Answer:   []dns.RR{test.TXT(`www.miek.nl.	1800	IN	TXT	"response"`)},
	}
}

func testNsecMsg() *dns.Msg {
	return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},
		Question: []dns.Question{{Name: "www.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeNSEC}},
		Ns:       []dns.RR{test.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},
	}
}

func testApexDSMsg() *dns.Msg {
	return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},
		Question: []dns.Question{{Name: "miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeDS}},
		Ns:       []dns.RR{test.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},
	}
}
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`package dnssec`

			`import (`
			`"testing"`
			`"time"`

Remove the word middleware (#1067) * Rename middleware to plugin first pass; mostly used 'sed', few spots where I manually changed text. This still builds a coredns binary. * fmt error * Rename AddMiddleware to AddPlugin * Readd AddMiddleware to remain backwards compat 2017-09-14 09:36:06 +01:00			`"github.com/coredns/coredns/plugin/test"`
Fix import path `github.com/miekg/coredns` -> `github.com/coredns/coredns` (#547) This fix fixes import path from `github.com/miekg/coredns` -> `github.com/coredns/coredns` 2017-02-21 22:51:47 -08:00			`"github.com/coredns/coredns/request"`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00
			`"github.com/miekg/dns"`
			`)`

			`func TestZoneSigningBlackLies(t *testing.T) {`
			`d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})`
			`defer rm1()`
			`defer rm2()`

			`m := testNxdomainMsg()`
plugin/dnssec: implement shotgun from CloudFlare (#1305) * plugin/dnssec: implement shotgun from CloudFlare Put a whole bunch of types in the NSEC bitmap and remove the one that's being asked for. Add more records for queries to the apex, SOA, DNSKEY, MX. 2018-01-03 11:11:56 +00:00			`state := request.Request{Req: m, Zone: "miek.nl."}`
plugin/dnssec: add per server metrics (#1743) * plugin/dnssec: add per server metrics final plugin. Fixes #1696 #1492 #1189 * Move cache cap into handler so we can access the server label * Remove cache-capacity from it entirely 2018-04-27 19:37:31 +01:00			`m = d.Sign(state, time.Now().UTC(), server)`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`if !section(m.Ns, 2) {`
presubmit: check for uppercase (#1774) Another thing we can test automatically, we sorta settled on using an uppercase letter in in t.Log and t.Fatal calls. Let's just check for this. 2018-05-07 22:47:25 +01:00			`t.Errorf("Authority section should have 2 sigs")`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`
			`var nsec *dns.NSEC`
			`for _, r := range m.Ns {`
			`if r.Header().Rrtype == dns.TypeNSEC {`
			`nsec = r.(*dns.NSEC)`
			`}`
			`}`
			`if m.Rcode != dns.RcodeSuccess {`
presubmit: check for uppercase (#1774) Another thing we can test automatically, we sorta settled on using an uppercase letter in in t.Log and t.Fatal calls. Let's just check for this. 2018-05-07 22:47:25 +01:00			`t.Errorf("Expected rcode %d, got %d", dns.RcodeSuccess, m.Rcode)`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`
			`if nsec == nil {`
presubmit: check for uppercase (#1774) Another thing we can test automatically, we sorta settled on using an uppercase letter in in t.Log and t.Fatal calls. Let's just check for this. 2018-05-07 22:47:25 +01:00			`t.Fatalf("Expected NSEC, got none")`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`
			`if nsec.Hdr.Name != "ww.miek.nl." {`
presubmit: check for uppercase (#1774) Another thing we can test automatically, we sorta settled on using an uppercase letter in in t.Log and t.Fatal calls. Let's just check for this. 2018-05-07 22:47:25 +01:00			`t.Errorf("Expected %s, got %s", "ww.miek.nl.", nsec.Hdr.Name)`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`
			`if nsec.NextDomain != "\\000.ww.miek.nl." {`
presubmit: check for uppercase (#1774) Another thing we can test automatically, we sorta settled on using an uppercase letter in in t.Log and t.Fatal calls. Let's just check for this. 2018-05-07 22:47:25 +01:00			`t.Errorf("Expected %s, got %s", "\\000.ww.miek.nl.", nsec.NextDomain)`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`
			`}`

plugin/dnssec: fix blacklies for NXDOMAIN (#1399) * plugin/dnssec: filter bitmap also for NXDOMAIN responses We change nxdomain to nodata, so at the point when we receive the reply it can be nxdomain or nodata. In both cases we should filter the nsec bitmap. Change the code and add explicit tests for this. * More tests 2018-01-18 13:07:23 +00:00			`func TestBlackLiesNoError(t *testing.T) {`
			`d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})`
			`defer rm1()`
			`defer rm2()`

			`m := testSuccessMsg()`
			`state := request.Request{Req: m, Zone: "miek.nl."}`
plugin/dnssec: add per server metrics (#1743) * plugin/dnssec: add per server metrics final plugin. Fixes #1696 #1492 #1189 * Move cache cap into handler so we can access the server label * Remove cache-capacity from it entirely 2018-04-27 19:37:31 +01:00			`m = d.Sign(state, time.Now().UTC(), server)`
plugin/dnssec: fix blacklies for NXDOMAIN (#1399) * plugin/dnssec: filter bitmap also for NXDOMAIN responses We change nxdomain to nodata, so at the point when we receive the reply it can be nxdomain or nodata. In both cases we should filter the nsec bitmap. Change the code and add explicit tests for this. * More tests 2018-01-18 13:07:23 +00:00
			`if m.Rcode != dns.RcodeSuccess {`
presubmit: Check errorf as well (#1845) Uppercase all these test errors as well. And extend the presubmit to check for these in the future. Also do a slightly smarter grep to only get t.<something>. as (because dump regexp) this also grep over non test files. 2018-06-02 19:48:39 +01:00			`t.Errorf("Expected rcode %d, got %d", dns.RcodeSuccess, m.Rcode)`
plugin/dnssec: fix blacklies for NXDOMAIN (#1399) * plugin/dnssec: filter bitmap also for NXDOMAIN responses We change nxdomain to nodata, so at the point when we receive the reply it can be nxdomain or nodata. In both cases we should filter the nsec bitmap. Change the code and add explicit tests for this. * More tests 2018-01-18 13:07:23 +00:00			`}`

			`if len(m.Answer) != 2 {`
presubmit: Check errorf as well (#1845) Uppercase all these test errors as well. And extend the presubmit to check for these in the future. Also do a slightly smarter grep to only get t.<something>. as (because dump regexp) this also grep over non test files. 2018-06-02 19:48:39 +01:00			`t.Errorf("Answer section should have 2 RRs")`
plugin/dnssec: fix blacklies for NXDOMAIN (#1399) * plugin/dnssec: filter bitmap also for NXDOMAIN responses We change nxdomain to nodata, so at the point when we receive the reply it can be nxdomain or nodata. In both cases we should filter the nsec bitmap. Change the code and add explicit tests for this. * More tests 2018-01-18 13:07:23 +00:00			`}`
			`sig, txt := false, false`
			`for _, rr := range m.Answer {`
			`if _, ok := rr.(*dns.RRSIG); ok {`
			`sig = true`
			`}`
			`if _, ok := rr.(*dns.TXT); ok {`
			`txt = true`
			`}`
			`}`
			`if !sig \|\| !txt {`
presubmit: Check errorf as well (#1845) Uppercase all these test errors as well. And extend the presubmit to check for these in the future. Also do a slightly smarter grep to only get t.<something>. as (because dump regexp) this also grep over non test files. 2018-06-02 19:48:39 +01:00			`t.Errorf("Expected RRSIG and TXT in answer section")`
plugin/dnssec: fix blacklies for NXDOMAIN (#1399) * plugin/dnssec: filter bitmap also for NXDOMAIN responses We change nxdomain to nodata, so at the point when we receive the reply it can be nxdomain or nodata. In both cases we should filter the nsec bitmap. Change the code and add explicit tests for this. * More tests 2018-01-18 13:07:23 +00:00			`}`
			`}`

plugin/dnssec: on delegation, sign DS or NSEC of no DS. (#5899) * When returning NS for delegation point, we sign any DS Record or if not found we generate a NSEC proving absence of DS. This follow behaviour describe in rfc4035 (Section 3.1.4) * DS request at apex behave as before. * Fix edge case of requesting NSEC which prove that NSEC does not exist. Signed-off-by: Jeremiejig <me@jeremiejig.fr> 2023-04-22 22:32:01 +02:00			`func TestBlackLiesApexNsec(t *testing.T) {`
			`d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})`
			`defer rm1()`
			`defer rm2()`

			`m := testNsecMsg()`
			`m.SetQuestion("miek.nl.", dns.TypeNSEC)`
			`state := request.Request{Req: m, Zone: "miek.nl."}`
			`m = d.Sign(state, time.Now().UTC(), server)`
			`if len(m.Ns) > 0 {`
			`t.Error("Authority section should be empty")`
			`}`
			`if len(m.Answer) != 2 {`
			`t.Errorf("Answer section should have 2 RRs")`
			`}`
			`sig, nsec := false, false`
			`for _, rr := range m.Answer {`
			`if _, ok := rr.(*dns.RRSIG); ok {`
			`sig = true`
			`}`
			`if rnsec, ok := rr.(*dns.NSEC); ok {`
			`nsec = true`
			`var bitpresent uint`
			`for _, typeBit := range rnsec.TypeBitMap {`
			`switch typeBit {`
			`case dns.TypeSOA:`
			`bitpresent \|= 4`
			`case dns.TypeNSEC:`
			`bitpresent \|= 1`
			`case dns.TypeRRSIG:`
			`bitpresent \|= 2`
			`}`
			`}`
			`if bitpresent != 7 {`
			`t.Error("NSEC must have SOA, RRSIG and NSEC in its bitmap")`
			`}`
			`}`
			`}`
			`if !sig \|\| !nsec {`
			`t.Errorf("Expected RRSIG and NSEC in answer section")`
			`}`
			`}`

			`func TestBlackLiesNsec(t *testing.T) {`
			`d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})`
			`defer rm1()`
			`defer rm2()`

			`m := testNsecMsg()`
			`m.SetQuestion("www.miek.nl.", dns.TypeNSEC)`
			`state := request.Request{Req: m, Zone: "miek.nl."}`
			`m = d.Sign(state, time.Now().UTC(), server)`
			`if len(m.Ns) > 0 {`
			`t.Error("Authority section should be empty")`
			`}`
			`if len(m.Answer) != 2 {`
			`t.Errorf("Answer section should have 2 RRs")`
			`}`
			`sig, nsec := false, false`
			`for _, rr := range m.Answer {`
			`if _, ok := rr.(*dns.RRSIG); ok {`
			`sig = true`
			`}`
			`if rnsec, ok := rr.(*dns.NSEC); ok {`
			`nsec = true`
			`var bitpresent uint`
			`for _, typeBit := range rnsec.TypeBitMap {`
			`switch typeBit {`
			`case dns.TypeNSEC:`
			`bitpresent \|= 1`
			`case dns.TypeRRSIG:`
			`bitpresent \|= 2`
			`}`
			`}`
			`if bitpresent != 3 {`
			`t.Error("NSEC must have RRSIG and NSEC in its bitmap")`
			`}`
			`}`
			`}`
			`if !sig \|\| !nsec {`
			`t.Errorf("Expected RRSIG and NSEC in answer section")`
			`}`
			`}`

			`func TestBlackLiesApexDS(t *testing.T) {`
			`d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})`
			`defer rm1()`
			`defer rm2()`

			`m := testApexDSMsg()`
			`m.SetQuestion("miek.nl.", dns.TypeDS)`
			`state := request.Request{Req: m, Zone: "miek.nl."}`
			`m = d.Sign(state, time.Now().UTC(), server)`
			`if !section(m.Ns, 2) {`
			`t.Errorf("Authority section should have 2 sigs")`
			`}`
			`var nsec *dns.NSEC`
			`for _, r := range m.Ns {`
			`if r.Header().Rrtype == dns.TypeNSEC {`
			`nsec = r.(*dns.NSEC)`
			`}`
			`}`
			`if nsec == nil {`
			`t.Error("Expected NSEC, got none")`
			`} else if correctNsecForDS(nsec) {`
			`t.Error("NSEC DS at the apex zone should cover all apex type.")`
			`}`
			`}`

			`func TestBlackLiesDS(t *testing.T) {`
			`d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})`
			`defer rm1()`
			`defer rm2()`

			`m := testApexDSMsg()`
			`m.SetQuestion("sub.miek.nl.", dns.TypeDS)`
			`state := request.Request{Req: m, Zone: "miek.nl."}`
			`m = d.Sign(state, time.Now().UTC(), server)`
			`if !section(m.Ns, 2) {`
			`t.Errorf("Authority section should have 2 sigs")`
			`}`
			`var nsec *dns.NSEC`
			`for _, r := range m.Ns {`
			`if r.Header().Rrtype == dns.TypeNSEC {`
			`nsec = r.(*dns.NSEC)`
			`}`
			`}`
			`if nsec == nil {`
			`t.Error("Expected NSEC, got none")`
			`} else if !correctNsecForDS(nsec) {`
			`t.Error("NSEC DS should cover delegation type only.")`
			`}`
			`}`

			`func correctNsecForDS(nsec *dns.NSEC) bool {`
			`var bitmask uint`
			`/* Coherent TypeBitMap for NSEC of DS should contain at least:`
			`* {TypeNS, TypeNSEC, TypeRRSIG} and no SOA.`
			`* Any missing type will confuse resolver because`
			`* it will prove that the dns query cannot be a delegation point,`
			`* which will break trust resolution for unsigned delegated domain.`
			`* No SOA is obvious for none apex query.`
			`*/`
			`for _, typeBitmask := range nsec.TypeBitMap {`
			`switch typeBitmask {`
			`case dns.TypeNS:`
			`bitmask \|= 1`
			`case dns.TypeNSEC:`
			`bitmask \|= 2`
			`case dns.TypeRRSIG:`
			`bitmask \|= 4`
			`case dns.TypeSOA:`
			`return false`
			`}`
			`}`
			`return bitmask == 7`
			`}`

Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`func testNxdomainMsg() *dns.Msg {`
			`return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},`
Fix various issues with formatting and typos (#424) * Fix typos * Simplify code * Fix error usage 2016-11-13 14:03:12 +00:00			`Question: []dns.Question{{Name: "ww.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeTXT}},`
plugin/dnssec: on delegation, sign DS or NSEC of no DS. (#5899) * When returning NS for delegation point, we sign any DS Record or if not found we generate a NSEC proving absence of DS. This follow behaviour describe in rfc4035 (Section 3.1.4) * DS request at apex behave as before. * Fix edge case of requesting NSEC which prove that NSEC does not exist. Signed-off-by: Jeremiejig <me@jeremiejig.fr> 2023-04-22 22:32:01 +02:00			`Ns: []dns.RR{test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`
			`}`
plugin/dnssec: fix blacklies for NXDOMAIN (#1399) * plugin/dnssec: filter bitmap also for NXDOMAIN responses We change nxdomain to nodata, so at the point when we receive the reply it can be nxdomain or nodata. In both cases we should filter the nsec bitmap. Change the code and add explicit tests for this. * More tests 2018-01-18 13:07:23 +00:00
			`func testSuccessMsg() *dns.Msg {`
			`return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeSuccess},`
			`Question: []dns.Question{{Name: "www.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeTXT}},`
plugin/dnssec: on delegation, sign DS or NSEC of no DS. (#5899) * When returning NS for delegation point, we sign any DS Record or if not found we generate a NSEC proving absence of DS. This follow behaviour describe in rfc4035 (Section 3.1.4) * DS request at apex behave as before. * Fix edge case of requesting NSEC which prove that NSEC does not exist. Signed-off-by: Jeremiejig <me@jeremiejig.fr> 2023-04-22 22:32:01 +02:00			Answer: []dns.RR{test.TXT(`www.miek.nl. 1800 IN TXT "response"`)},
			`}`
			`}`

			`func testNsecMsg() *dns.Msg {`
			`return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},`
			`Question: []dns.Question{{Name: "www.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeNSEC}},`
			`Ns: []dns.RR{test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},`
			`}`
			`}`

			`func testApexDSMsg() *dns.Msg {`
			`return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},`
			`Question: []dns.Question{{Name: "miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeDS}},`
			`Ns: []dns.RR{test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},`
plugin/dnssec: fix blacklies for NXDOMAIN (#1399) * plugin/dnssec: filter bitmap also for NXDOMAIN responses We change nxdomain to nodata, so at the point when we receive the reply it can be nxdomain or nodata. In both cases we should filter the nsec bitmap. Change the code and add explicit tests for this. * More tests 2018-01-18 13:07:23 +00:00			`}`
			`}`