Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-11-03 18:53:13 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
aef4bd2d02fd4820c2207c63f7482ecb1e484680
coredns/plugin/dnssec/black_lies_test.go
jeremiejig 13e66918e3 plugin/dnssec: on delegation, sign DS or NSEC of no DS. (#5899) 
* When returning NS for delegation point, we sign any DS Record or if not
  found we generate a NSEC proving absence of DS. This follow behaviour
  describe in rfc4035 (Section 3.1.4)
* DS request at apex behave as before.
* Fix edge case of requesting NSEC which prove that NSEC does not exist.

Signed-off-by: Jeremiejig <me@jeremiejig.fr>
2023-04-22 22:32:01 +02:00

259 lines
6.6 KiB
Go
Raw Blame History

package dnssec
import (
"testing"
"time"
"github.com/coredns/coredns/plugin/test"
"github.com/coredns/coredns/request"
"github.com/miekg/dns"
)
func TestZoneSigningBlackLies(t *testing.T) {
d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
defer rm1()
defer rm2()
m := testNxdomainMsg()
state := request.Request{Req: m, Zone: "miek.nl."}
m = d.Sign(state, time.Now().UTC(), server)
if !section(m.Ns, 2) {
t.Errorf("Authority section should have 2 sigs")
}
var nsec *dns.NSEC
for _, r := range m.Ns {
if r.Header().Rrtype == dns.TypeNSEC {
nsec = r.(*dns.NSEC)
}
}
if m.Rcode != dns.RcodeSuccess {
t.Errorf("Expected rcode %d, got %d", dns.RcodeSuccess, m.Rcode)
}
if nsec == nil {
t.Fatalf("Expected NSEC, got none")
}
if nsec.Hdr.Name != "ww.miek.nl." {
t.Errorf("Expected %s, got %s", "ww.miek.nl.", nsec.Hdr.Name)
}
if nsec.NextDomain != "\\000.ww.miek.nl." {
t.Errorf("Expected %s, got %s", "\\000.ww.miek.nl.", nsec.NextDomain)
}
}
func TestBlackLiesNoError(t *testing.T) {
d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
defer rm1()
defer rm2()
m := testSuccessMsg()
state := request.Request{Req: m, Zone: "miek.nl."}
m = d.Sign(state, time.Now().UTC(), server)
if m.Rcode != dns.RcodeSuccess {
t.Errorf("Expected rcode %d, got %d", dns.RcodeSuccess, m.Rcode)
}
if len(m.Answer) != 2 {
t.Errorf("Answer section should have 2 RRs")
}
sig, txt := false, false
for _, rr := range m.Answer {
if _, ok := rr.(*dns.RRSIG); ok {
sig = true
}
if _, ok := rr.(*dns.TXT); ok {
txt = true
}
}
if !sig || !txt {
t.Errorf("Expected RRSIG and TXT in answer section")
}
}
func TestBlackLiesApexNsec(t *testing.T) {
d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
defer rm1()
defer rm2()
m := testNsecMsg()
m.SetQuestion("miek.nl.", dns.TypeNSEC)
state := request.Request{Req: m, Zone: "miek.nl."}
m = d.Sign(state, time.Now().UTC(), server)
if len(m.Ns) > 0 {
t.Error("Authority section should be empty")
}
if len(m.Answer) != 2 {
t.Errorf("Answer section should have 2 RRs")
}
sig, nsec := false, false
for _, rr := range m.Answer {
if _, ok := rr.(*dns.RRSIG); ok {
sig = true
}
if rnsec, ok := rr.(*dns.NSEC); ok {
nsec = true
var bitpresent uint
for _, typeBit := range rnsec.TypeBitMap {
switch typeBit {
case dns.TypeSOA:
bitpresent |= 4
case dns.TypeNSEC:
bitpresent |= 1
case dns.TypeRRSIG:
bitpresent |= 2
}
}
if bitpresent != 7 {
t.Error("NSEC must have SOA, RRSIG and NSEC in its bitmap")
}
}
}
if !sig || !nsec {
t.Errorf("Expected RRSIG and NSEC in answer section")
}
}
func TestBlackLiesNsec(t *testing.T) {
d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
defer rm1()
defer rm2()
m := testNsecMsg()
m.SetQuestion("www.miek.nl.", dns.TypeNSEC)
state := request.Request{Req: m, Zone: "miek.nl."}
m = d.Sign(state, time.Now().UTC(), server)
if len(m.Ns) > 0 {
t.Error("Authority section should be empty")
}
if len(m.Answer) != 2 {
t.Errorf("Answer section should have 2 RRs")
}
sig, nsec := false, false
for _, rr := range m.Answer {
if _, ok := rr.(*dns.RRSIG); ok {
sig = true
}
if rnsec, ok := rr.(*dns.NSEC); ok {
nsec = true
var bitpresent uint
for _, typeBit := range rnsec.TypeBitMap {
switch typeBit {
case dns.TypeNSEC:
bitpresent |= 1
case dns.TypeRRSIG:
bitpresent |= 2
}
}
if bitpresent != 3 {
t.Error("NSEC must have RRSIG and NSEC in its bitmap")
}
}
}
if !sig || !nsec {
t.Errorf("Expected RRSIG and NSEC in answer section")
}
}
func TestBlackLiesApexDS(t *testing.T) {
d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
defer rm1()
defer rm2()
m := testApexDSMsg()
m.SetQuestion("miek.nl.", dns.TypeDS)
state := request.Request{Req: m, Zone: "miek.nl."}
m = d.Sign(state, time.Now().UTC(), server)
if !section(m.Ns, 2) {
t.Errorf("Authority section should have 2 sigs")
}
var nsec *dns.NSEC
for _, r := range m.Ns {
if r.Header().Rrtype == dns.TypeNSEC {
nsec = r.(*dns.NSEC)
}
}
if nsec == nil {
t.Error("Expected NSEC, got none")
} else if correctNsecForDS(nsec) {
t.Error("NSEC DS at the apex zone should cover all apex type.")
}
}
func TestBlackLiesDS(t *testing.T) {
d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
defer rm1()
defer rm2()
m := testApexDSMsg()
m.SetQuestion("sub.miek.nl.", dns.TypeDS)
state := request.Request{Req: m, Zone: "miek.nl."}
m = d.Sign(state, time.Now().UTC(), server)
if !section(m.Ns, 2) {
t.Errorf("Authority section should have 2 sigs")
}
var nsec *dns.NSEC
for _, r := range m.Ns {
if r.Header().Rrtype == dns.TypeNSEC {
nsec = r.(*dns.NSEC)
}
}
if nsec == nil {
t.Error("Expected NSEC, got none")
} else if !correctNsecForDS(nsec) {
t.Error("NSEC DS should cover delegation type only.")
}
}
func correctNsecForDS(nsec *dns.NSEC) bool {
var bitmask uint
/* Coherent TypeBitMap for NSEC of DS should contain at least:
* {TypeNS, TypeNSEC, TypeRRSIG} and no SOA.
* Any missing type will confuse resolver because
* it will prove that the dns query cannot be a delegation point,
* which will break trust resolution for unsigned delegated domain.
* No SOA is obvious for none apex query.
*/
for _, typeBitmask := range nsec.TypeBitMap {
switch typeBitmask {
case dns.TypeNS:
bitmask |= 1
case dns.TypeNSEC:
bitmask |= 2
case dns.TypeRRSIG:
bitmask |= 4
case dns.TypeSOA:
return false
}
}
return bitmask == 7
}
func testNxdomainMsg() *dns.Msg {
return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},
Question: []dns.Question{{Name: "ww.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeTXT}},
Ns: []dns.RR{test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},
}
}
func testSuccessMsg() *dns.Msg {
return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeSuccess},
Question: []dns.Question{{Name: "www.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeTXT}},
Answer: []dns.RR{test.TXT(`www.miek.nl. 1800 IN TXT "response"`)},
}
}
func testNsecMsg() *dns.Msg {
return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},
Question: []dns.Question{{Name: "www.miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeNSEC}},
Ns: []dns.RR{test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},
}
}
func testApexDSMsg() *dns.Msg {
return &dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeNameError},
Question: []dns.Question{{Name: "miek.nl.", Qclass: dns.ClassINET, Qtype: dns.TypeDS}},
Ns: []dns.RR{test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1461471181 14400 3600 604800 14400")},
}
}
Reference in New Issue View Git Blame Copy Permalink