plugin/dnssec: on delegation, sign DS or NSEC of no DS. (#5899)

* When returning NS for delegation point, we sign any DS Record or if not
  found we generate a NSEC proving absence of DS. This follow behaviour
  describe in rfc4035 (Section 3.1.4)
* DS request at apex behave as before.
* Fix edge case of requesting NSEC which prove that NSEC does not exist.

Signed-off-by: Jeremiejig <me@jeremiejig.fr>

plugin/dnssec/black_lies_test.go

@@ -71,16 +71,188 @@ func TestBlackLiesNoError(t *testing.T) {
 	}
 }
 
+func TestBlackLiesApexNsec(t *testing.T) {
+	d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
+	defer rm1()
+	defer rm2()
+
+	m := testNsecMsg()
+	m.SetQuestion("miek.nl.", dns.TypeNSEC)
+	state := request.Request{Req: m, Zone: "miek.nl."}
+	m = d.Sign(state, time.Now().UTC(), server)
+	if len(m.Ns) > 0 {
+		t.Error("Authority section should be empty")
+	}
+	if len(m.Answer) != 2 {
+		t.Errorf("Answer section should have 2 RRs")
+	}
+	sig, nsec := false, false
+	for _, rr := range m.Answer {
+		if _, ok := rr.(*dns.RRSIG); ok {
+			sig = true
+		}
+		if rnsec, ok := rr.(*dns.NSEC); ok {
+			nsec = true
+			var bitpresent uint
+			for _, typeBit := range rnsec.TypeBitMap {
+				switch typeBit {
+				case dns.TypeSOA:
+					bitpresent |= 4
+				case dns.TypeNSEC:
+					bitpresent |= 1
+				case dns.TypeRRSIG:
+					bitpresent |= 2
+				}
+			}
+			if bitpresent != 7 {
+				t.Error("NSEC must have SOA, RRSIG and NSEC in its bitmap")
+			}
+		}
+	}
+	if !sig || !nsec {
+		t.Errorf("Expected RRSIG and NSEC in answer section")
+	}
+}
+
+func TestBlackLiesNsec(t *testing.T) {
+	d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
+	defer rm1()
+	defer rm2()
+
+	m := testNsecMsg()
+	m.SetQuestion("www.miek.nl.", dns.TypeNSEC)
+	state := request.Request{Req: m, Zone: "miek.nl."}
+	m = d.Sign(state, time.Now().UTC(), server)
+	if len(m.Ns) > 0 {
+		t.Error("Authority section should be empty")
+	}
+	if len(m.Answer) != 2 {
+		t.Errorf("Answer section should have 2 RRs")
+	}
+	sig, nsec := false, false
+	for _, rr := range m.Answer {
+		if _, ok := rr.(*dns.RRSIG); ok {
+			sig = true
+		}
+		if rnsec, ok := rr.(*dns.NSEC); ok {
+			nsec = true
+			var bitpresent uint
+			for _, typeBit := range rnsec.TypeBitMap {
+				switch typeBit {
+				case dns.TypeNSEC:
+					bitpresent |= 1
+				case dns.TypeRRSIG:
+					bitpresent |= 2
+				}
+			}
+			if bitpresent != 3 {
+				t.Error("NSEC must have RRSIG and NSEC in its bitmap")
+			}
+		}
+	}
+	if !sig || !nsec {
+		t.Errorf("Expected RRSIG and NSEC in answer section")
+	}
+}
+
+func TestBlackLiesApexDS(t *testing.T) {
+	d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
+	defer rm1()
+	defer rm2()
+
+	m := testApexDSMsg()
+	m.SetQuestion("miek.nl.", dns.TypeDS)
+	state := request.Request{Req: m, Zone: "miek.nl."}
+	m = d.Sign(state, time.Now().UTC(), server)
+	if !section(m.Ns, 2) {
+		t.Errorf("Authority section should have 2 sigs")
+	}
+	var nsec *dns.NSEC
+	for _, r := range m.Ns {
+		if r.Header().Rrtype == dns.TypeNSEC {
+			nsec = r.(*dns.NSEC)
+		}
+	}
+	if nsec == nil {
+		t.Error("Expected NSEC, got none")
+	} else if correctNsecForDS(nsec) {
+		t.Error("NSEC DS at the apex zone should cover all apex type.")
+	}
+}
+
+func TestBlackLiesDS(t *testing.T) {
+	d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
+	defer rm1()
+	defer rm2()
+
+	m := testApexDSMsg()
+	m.SetQuestion("sub.miek.nl.", dns.TypeDS)
+	state := request.Request{Req: m, Zone: "miek.nl."}
+	m = d.Sign(state, time.Now().UTC(), server)
+	if !section(m.Ns, 2) {
+		t.Errorf("Authority section should have 2 sigs")
+	}
+	var nsec *dns.NSEC
+	for _, r := range m.Ns {
+		if r.Header().Rrtype == dns.TypeNSEC {
+			nsec = r.(*dns.NSEC)
+		}
+	}
+	if nsec == nil {
+		t.Error("Expected NSEC, got none")
+	} else if !correctNsecForDS(nsec) {
+		t.Error("NSEC DS should cover delegation type only.")
+	}
+}
+
+func correctNsecForDS(nsec *dns.NSEC) bool {
+	var bitmask uint
+	/* Coherent TypeBitMap for NSEC of DS should contain at least:
+	 * {TypeNS, TypeNSEC, TypeRRSIG} and no SOA.
+	 * Any missing type will confuse resolver because
+	 * it will prove that the dns query cannot be a delegation point,
+	 * which will break trust resolution for unsigned delegated domain.
+	 * No SOA is obvious for none apex query.
+	 */
+	for _, typeBitmask := range nsec.TypeBitMap {
+		switch typeBitmask {
+		case dns.TypeNS:
+			bitmask |= 1
+		case dns.TypeNSEC:
+			bitmask |= 2
+		case dns.TypeRRSIG:
+			bitmask |= 4
+		case dns.TypeSOA:
+			return false
+		}
+	}
+	return bitmask == 7
+}
+
 func testNxdomainMsg() *dns.Msg {
 	return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},
 		Question: []dns.Question{{Name: "ww.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeTXT}},
-		Ns: []dns.RR{test.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},
+		Ns:       []dns.RR{test.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},
 	}
 }
 
 func testSuccessMsg() *dns.Msg {
 	return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeSuccess},
 		Question: []dns.Question{{Name: "www.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeTXT}},
-		Answer: []dns.RR{test.TXT(`www.miek.nl.	1800	IN	TXT	"response"`)},
+		Answer:   []dns.RR{test.TXT(`www.miek.nl.	1800	IN	TXT	"response"`)},
+	}
+}
+
+func testNsecMsg() *dns.Msg {
+	return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},
+		Question: []dns.Question{{Name: "www.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeNSEC}},
+		Ns:       []dns.RR{test.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},
+	}
+}
+
+func testApexDSMsg() *dns.Msg {
+	return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},
+		Question: []dns.Question{{Name: "miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeDS}},
+		Ns:       []dns.RR{test.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},
 	}
 }