mirror of
https://github.com/coredns/coredns.git
synced 2025-10-31 02:03:20 -04:00
cb3190bab1
* plugin/dnssec: filter bitmap also for NXDOMAIN responses We change nxdomain to nodata, so at the point when we receive the reply it can be nxdomain or nodata. In both cases we should filter the nsec bitmap. Change the code and add explicit tests for this. * More tests
87 lines
2.2 KiB
Go
87 lines
2.2 KiB
Go
package dnssec
|
|
|
|
import (
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/coredns/coredns/plugin/test"
|
|
"github.com/coredns/coredns/request"
|
|
|
|
"github.com/miekg/dns"
|
|
)
|
|
|
|
func TestZoneSigningBlackLies(t *testing.T) {
|
|
d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
|
|
defer rm1()
|
|
defer rm2()
|
|
|
|
m := testNxdomainMsg()
|
|
state := request.Request{Req: m, Zone: "miek.nl."}
|
|
m = d.Sign(state, time.Now().UTC())
|
|
if !section(m.Ns, 2) {
|
|
t.Errorf("authority section should have 2 sig")
|
|
}
|
|
var nsec *dns.NSEC
|
|
for _, r := range m.Ns {
|
|
if r.Header().Rrtype == dns.TypeNSEC {
|
|
nsec = r.(*dns.NSEC)
|
|
}
|
|
}
|
|
if m.Rcode != dns.RcodeSuccess {
|
|
t.Errorf("expected rcode %d, got %d", dns.RcodeSuccess, m.Rcode)
|
|
}
|
|
if nsec == nil {
|
|
t.Fatalf("expected NSEC, got none")
|
|
}
|
|
if nsec.Hdr.Name != "ww.miek.nl." {
|
|
t.Errorf("expected %s, got %s", "ww.miek.nl.", nsec.Hdr.Name)
|
|
}
|
|
if nsec.NextDomain != "\\000.ww.miek.nl." {
|
|
t.Errorf("expected %s, got %s", "\\000.ww.miek.nl.", nsec.NextDomain)
|
|
}
|
|
}
|
|
|
|
func TestBlackLiesNoError(t *testing.T) {
|
|
d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
|
|
defer rm1()
|
|
defer rm2()
|
|
|
|
m := testSuccessMsg()
|
|
state := request.Request{Req: m, Zone: "miek.nl."}
|
|
m = d.Sign(state, time.Now().UTC())
|
|
|
|
if m.Rcode != dns.RcodeSuccess {
|
|
t.Errorf("expected rcode %d, got %d", dns.RcodeSuccess, m.Rcode)
|
|
}
|
|
|
|
if len(m.Answer) != 2 {
|
|
t.Errorf("answer section should have 2 RRs")
|
|
}
|
|
sig, txt := false, false
|
|
for _, rr := range m.Answer {
|
|
if _, ok := rr.(*dns.RRSIG); ok {
|
|
sig = true
|
|
}
|
|
if _, ok := rr.(*dns.TXT); ok {
|
|
txt = true
|
|
}
|
|
}
|
|
if !sig || !txt {
|
|
t.Errorf("expected RRSIG and TXT in answer section")
|
|
}
|
|
}
|
|
|
|
func testNxdomainMsg() *dns.Msg {
|
|
return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},
|
|
Question: []dns.Question{{Name: "ww.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeTXT}},
|
|
Ns: []dns.RR{test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},
|
|
}
|
|
}
|
|
|
|
func testSuccessMsg() *dns.Msg {
|
|
return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeSuccess},
|
|
Question: []dns.Question{{Name: "www.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeTXT}},
|
|
Answer: []dns.RR{test.TXT(`www.miek.nl. 1800 IN TXT "response"`)},
|
|
}
|
|
}
|