2016-04-26 17:57:11 +01:00
|
|
|
package dnssec
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"testing"
|
|
|
|
|
"time"
|
|
|
|
|
|
2017-09-14 09:36:06 +01:00
|
|
|
"github.com/coredns/coredns/plugin/test"
|
2017-02-21 22:51:47 -08:00
|
|
|
"github.com/coredns/coredns/request"
|
2016-04-26 17:57:11 +01:00
|
|
|
|
|
|
|
|
"github.com/miekg/dns"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestZoneSigningBlackLies(t *testing.T) {
|
|
|
|
|
d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
|
|
|
|
|
defer rm1()
|
|
|
|
|
defer rm2()
|
|
|
|
|
|
|
|
|
|
m := testNxdomainMsg()
|
2018-01-03 11:11:56 +00:00
|
|
|
state := request.Request{Req: m, Zone: "miek.nl."}
|
2018-04-27 19:37:31 +01:00
|
|
|
m = d.Sign(state, time.Now().UTC(), server)
|
2016-04-26 17:57:11 +01:00
|
|
|
if !section(m.Ns, 2) {
|
2018-05-07 22:47:25 +01:00
|
|
|
t.Errorf("Authority section should have 2 sigs")
|
2016-04-26 17:57:11 +01:00
|
|
|
}
|
|
|
|
|
var nsec *dns.NSEC
|
|
|
|
|
for _, r := range m.Ns {
|
|
|
|
|
if r.Header().Rrtype == dns.TypeNSEC {
|
|
|
|
|
nsec = r.(*dns.NSEC)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if m.Rcode != dns.RcodeSuccess {
|
2018-05-07 22:47:25 +01:00
|
|
|
t.Errorf("Expected rcode %d, got %d", dns.RcodeSuccess, m.Rcode)
|
2016-04-26 17:57:11 +01:00
|
|
|
}
|
|
|
|
|
if nsec == nil {
|
2018-05-07 22:47:25 +01:00
|
|
|
t.Fatalf("Expected NSEC, got none")
|
2016-04-26 17:57:11 +01:00
|
|
|
}
|
|
|
|
|
if nsec.Hdr.Name != "ww.miek.nl." {
|
2018-05-07 22:47:25 +01:00
|
|
|
t.Errorf("Expected %s, got %s", "ww.miek.nl.", nsec.Hdr.Name)
|
2016-04-26 17:57:11 +01:00
|
|
|
}
|
|
|
|
|
if nsec.NextDomain != "\\000.ww.miek.nl." {
|
2018-05-07 22:47:25 +01:00
|
|
|
t.Errorf("Expected %s, got %s", "\\000.ww.miek.nl.", nsec.NextDomain)
|
2016-04-26 17:57:11 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-18 13:07:23 +00:00
|
|
|
func TestBlackLiesNoError(t *testing.T) {
|
|
|
|
|
d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
|
|
|
|
|
defer rm1()
|
|
|
|
|
defer rm2()
|
|
|
|
|
|
|
|
|
|
m := testSuccessMsg()
|
|
|
|
|
state := request.Request{Req: m, Zone: "miek.nl."}
|
2018-04-27 19:37:31 +01:00
|
|
|
m = d.Sign(state, time.Now().UTC(), server)
|
2018-01-18 13:07:23 +00:00
|
|
|
|
|
|
|
|
if m.Rcode != dns.RcodeSuccess {
|
2018-06-02 19:48:39 +01:00
|
|
|
t.Errorf("Expected rcode %d, got %d", dns.RcodeSuccess, m.Rcode)
|
2018-01-18 13:07:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(m.Answer) != 2 {
|
2018-06-02 19:48:39 +01:00
|
|
|
t.Errorf("Answer section should have 2 RRs")
|
2018-01-18 13:07:23 +00:00
|
|
|
}
|
|
|
|
|
sig, txt := false, false
|
|
|
|
|
for _, rr := range m.Answer {
|
|
|
|
|
if _, ok := rr.(*dns.RRSIG); ok {
|
|
|
|
|
sig = true
|
|
|
|
|
}
|
|
|
|
|
if _, ok := rr.(*dns.TXT); ok {
|
|
|
|
|
txt = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if !sig || !txt {
|
2018-06-02 19:48:39 +01:00
|
|
|
t.Errorf("Expected RRSIG and TXT in answer section")
|
2018-01-18 13:07:23 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-04-26 17:57:11 +01:00
|
|
|
func testNxdomainMsg() *dns.Msg {
|
|
|
|
|
return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},
|
2016-11-13 14:03:12 +00:00
|
|
|
Question: []dns.Question{{Name: "ww.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeTXT}},
|
2016-04-26 17:57:11 +01:00
|
|
|
Ns: []dns.RR{test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-01-18 13:07:23 +00:00
|
|
|
|
|
|
|
|
func testSuccessMsg() *dns.Msg {
|
|
|
|
|
return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeSuccess},
|
|
|
|
|
Question: []dns.Question{{Name: "www.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeTXT}},
|
|
|
|
|
Answer: []dns.RR{test.TXT(`www.miek.nl. 1800 IN TXT "response"`)},
|
|
|
|
|
}
|
|
|
|
|
}
|
