plugin/dnssec: fix blacklies for NXDOMAIN (#1399)

* plugin/dnssec: filter bitmap also for NXDOMAIN responses We change nxdomain to nodata, so at the point when we receive the reply it can be nxdomain or nodata. In both cases we should filter the nsec bitmap. Change the code and add explicit tests for this. * More tests
2025-11-02 18:23:25 -05:00 · 2018-01-18 13:07:23 +00:00
parent c39e5cd014
commit cb3190bab1
3 changed files with 102 additions and 4 deletions
--- a/plugin/dnssec/black_lies_test.go
+++ b/plugin/dnssec/black_lies_test.go
@@ -41,9 +41,46 @@ func TestZoneSigningBlackLies(t *testing.T) {
 	}
 }

+func TestBlackLiesNoError(t *testing.T) {
+	d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
+	defer rm1()
+	defer rm2()
+
+	m := testSuccessMsg()
+	state := request.Request{Req: m, Zone: "miek.nl."}
+	m = d.Sign(state, time.Now().UTC())
+
+	if m.Rcode != dns.RcodeSuccess {
+		t.Errorf("expected rcode %d, got %d", dns.RcodeSuccess, m.Rcode)
+	}
+
+	if len(m.Answer) != 2 {
+		t.Errorf("answer section should have 2 RRs")
+	}
+	sig, txt := false, false
+	for _, rr := range m.Answer {
+		if _, ok := rr.(*dns.RRSIG); ok {
+			sig = true
+		}
+		if _, ok := rr.(*dns.TXT); ok {
+			txt = true
+		}
+	}
+	if !sig || !txt {
+		t.Errorf("expected RRSIG and TXT in answer section")
+	}
+}
+
 func testNxdomainMsg() *dns.Msg {
 	return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},
 		Question: []dns.Question{{Name: "ww.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeTXT}},
 		Ns: []dns.RR{test.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},
 	}
 }
+
+func testSuccessMsg() *dns.Msg {
+	return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeSuccess},
+		Question: []dns.Question{{Name: "www.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeTXT}},
+		Answer: []dns.RR{test.TXT(`www.miek.nl.	1800	IN	TXT	"response"`)},
+	}
+}