mirror of
https://github.com/coredns/coredns.git
synced 2025-10-31 02:03:20 -04:00
cf04223718
* plugin/dnssec: Add support for KSK/ZSK split key setups * plugin/dnssec: Update README to document split ZSK/KSK operation
179 lines
5.7 KiB
Go
179 lines
5.7 KiB
Go
package dnssec
|
|
|
|
import (
|
|
"context"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/coredns/coredns/plugin/file"
|
|
"github.com/coredns/coredns/plugin/pkg/cache"
|
|
"github.com/coredns/coredns/plugin/pkg/dnstest"
|
|
"github.com/coredns/coredns/plugin/test"
|
|
|
|
"github.com/miekg/dns"
|
|
)
|
|
|
|
var dnssecTestCases = []test.Case{
|
|
{
|
|
Qname: "miek.nl.", Qtype: dns.TypeDNSKEY,
|
|
Answer: []dns.RR{
|
|
test.DNSKEY("miek.nl. 3600 IN DNSKEY 257 3 13 0J8u0XJ9GNGFEBXuAmLu04taHG4"),
|
|
},
|
|
},
|
|
{
|
|
Qname: "miek.nl.", Qtype: dns.TypeDNSKEY, Do: true,
|
|
Answer: []dns.RR{
|
|
test.DNSKEY("miek.nl. 3600 IN DNSKEY 257 3 13 0J8u0XJ9GNGFEBXuAmLu04taHG4"),
|
|
test.RRSIG("miek.nl. 3600 IN RRSIG DNSKEY 13 2 3600 20160503150844 20160425120844 18512 miek.nl. Iw/kNOyM"),
|
|
},
|
|
Extra: []dns.RR{test.OPT(4096, true)},
|
|
},
|
|
}
|
|
|
|
var dnsTestCases = []test.Case{
|
|
{
|
|
Qname: "miek.nl.", Qtype: dns.TypeDNSKEY,
|
|
Answer: []dns.RR{
|
|
test.DNSKEY("miek.nl. 3600 IN DNSKEY 257 3 13 0J8u0XJ9GNGFEBXuAmLu04taHG4"),
|
|
},
|
|
},
|
|
{
|
|
Qname: "miek.nl.", Qtype: dns.TypeMX,
|
|
Answer: []dns.RR{
|
|
test.MX("miek.nl. 1800 IN MX 1 aspmx.l.google.com."),
|
|
},
|
|
Ns: []dns.RR{
|
|
test.NS("miek.nl. 1800 IN NS linode.atoom.net."),
|
|
},
|
|
},
|
|
{
|
|
Qname: "miek.nl.", Qtype: dns.TypeMX, Do: true,
|
|
Answer: []dns.RR{
|
|
test.MX("miek.nl. 1800 IN MX 1 aspmx.l.google.com."),
|
|
test.RRSIG("miek.nl. 1800 IN RRSIG MX 13 2 3600 20160503192428 20160425162428 18512 miek.nl. 4nxuGKitXjPVA9zP1JIUvA09"),
|
|
},
|
|
Ns: []dns.RR{
|
|
test.NS("miek.nl. 1800 IN NS linode.atoom.net."),
|
|
test.RRSIG("miek.nl. 1800 IN RRSIG NS 13 2 3600 20161217114912 20161209084912 18512 miek.nl. ad9gA8VWgF1H8ze9/0Rk2Q=="),
|
|
},
|
|
},
|
|
{
|
|
Qname: "www.miek.nl.", Qtype: dns.TypeAAAA, Do: true,
|
|
Answer: []dns.RR{
|
|
test.AAAA("a.miek.nl. 1800 IN AAAA 2a01:7e00::f03c:91ff:fef1:6735"),
|
|
test.RRSIG("a.miek.nl. 1800 IN RRSIG AAAA 13 3 3600 20160503193047 20160425163047 18512 miek.nl. UAyMG+gcnoXW3"),
|
|
test.CNAME("www.miek.nl. 1800 IN CNAME a.miek.nl."),
|
|
test.RRSIG("www.miek.nl. 1800 IN RRSIG CNAME 13 3 3600 20160503193047 20160425163047 18512 miek.nl. E3qGZn"),
|
|
},
|
|
Ns: []dns.RR{
|
|
test.NS("miek.nl. 1800 IN NS linode.atoom.net."),
|
|
test.RRSIG("miek.nl. 1800 IN RRSIG NS 13 2 3600 20161217114912 20161209084912 18512 miek.nl. ad9gA8VWgF1H8ze9/0Rk2Q=="),
|
|
},
|
|
},
|
|
{
|
|
Qname: "wwwww.miek.nl.", Qtype: dns.TypeAAAA, Do: true,
|
|
Ns: []dns.RR{
|
|
test.RRSIG("miek.nl. 1800 IN RRSIG SOA 13 2 3600 20171220135446 20171212105446 18512 miek.nl. hCRzzjYz6w=="),
|
|
test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
|
|
test.NSEC("wwwww.miek.nl. 1800 IN NSEC \\000.wwwww.miek.nl. A HINFO TXT LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF"),
|
|
test.RRSIG("wwwww.miek.nl. 1800 IN RRSIG NSEC 13 3 3600 20171220135446 20171212105446 18512 miek.nl. cVUQWs8xw=="),
|
|
},
|
|
},
|
|
{
|
|
Qname: "miek.nl.", Qtype: dns.TypeHINFO, Do: true,
|
|
Ns: []dns.RR{
|
|
test.NSEC("miek.nl. 1800 IN NSEC \\000.miek.nl. A NS SOA MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC DNSKEY TLSA HIP OPENPGPKEY SPF"),
|
|
test.RRSIG("miek.nl. 1800 IN RRSIG NSEC 13 2 3600 20171220141741 20171212111741 18512 miek.nl. GuXROL7Uu+UiPcg=="),
|
|
test.RRSIG("miek.nl. 1800 IN RRSIG SOA 13 2 3600 20171220141741 20171212111741 18512 miek.nl. 8bLTReqmuQtw=="),
|
|
test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
|
|
},
|
|
},
|
|
{
|
|
Qname: "www.example.org.", Qtype: dns.TypeAAAA, Do: true,
|
|
Rcode: dns.RcodeServerFailure,
|
|
},
|
|
}
|
|
|
|
func TestLookupZone(t *testing.T) {
|
|
zone, err := file.Parse(strings.NewReader(dbMiekNL), "miek.nl.", "stdin", 0)
|
|
if err != nil {
|
|
return
|
|
}
|
|
fm := file.File{Next: test.ErrorHandler(), Zones: file.Zones{Z: map[string]*file.Zone{"miek.nl.": zone}, Names: []string{"miek.nl."}}}
|
|
dnskey, rm1, rm2 := newKey(t)
|
|
defer rm1()
|
|
defer rm2()
|
|
c := cache.New(defaultCap)
|
|
dh := New([]string{"miek.nl."}, []*DNSKEY{dnskey}, false, fm, c)
|
|
|
|
for _, tc := range dnsTestCases {
|
|
m := tc.Msg()
|
|
|
|
rec := dnstest.NewRecorder(&test.ResponseWriter{})
|
|
_, err := dh.ServeDNS(context.TODO(), rec, m)
|
|
if err != nil {
|
|
t.Errorf("Expected no error, got %v\n", err)
|
|
return
|
|
}
|
|
|
|
test.SortAndCheck(t, rec.Msg, tc)
|
|
}
|
|
}
|
|
|
|
func TestLookupDNSKEY(t *testing.T) {
|
|
dnskey, rm1, rm2 := newKey(t)
|
|
defer rm1()
|
|
defer rm2()
|
|
c := cache.New(defaultCap)
|
|
dh := New([]string{"miek.nl."}, []*DNSKEY{dnskey}, false, test.ErrorHandler(), c)
|
|
|
|
for _, tc := range dnssecTestCases {
|
|
m := tc.Msg()
|
|
|
|
rec := dnstest.NewRecorder(&test.ResponseWriter{})
|
|
_, err := dh.ServeDNS(context.TODO(), rec, m)
|
|
if err != nil {
|
|
t.Errorf("Expected no error, got %v\n", err)
|
|
return
|
|
}
|
|
|
|
resp := rec.Msg
|
|
if !resp.Authoritative {
|
|
t.Errorf("Authoritative Answer should be true, got false")
|
|
}
|
|
|
|
test.SortAndCheck(t, resp, tc)
|
|
|
|
// If there is an NSEC present in authority section check if the bitmap does not have the qtype set.
|
|
for _, rr := range resp.Ns {
|
|
if n, ok := rr.(*dns.NSEC); ok {
|
|
for i := range n.TypeBitMap {
|
|
if n.TypeBitMap[i] == tc.Qtype {
|
|
t.Errorf("Bitmap contains qtype: %d", tc.Qtype)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
const dbMiekNL = `
|
|
$TTL 30M
|
|
$ORIGIN miek.nl.
|
|
@ IN SOA linode.atoom.net. miek.miek.nl. (
|
|
1282630057 ; Serial
|
|
4H ; Refresh
|
|
1H ; Retry
|
|
7D ; Expire
|
|
4H ) ; Negative Cache TTL
|
|
IN NS linode.atoom.net.
|
|
|
|
IN MX 1 aspmx.l.google.com.
|
|
|
|
IN A 139.162.196.78
|
|
IN AAAA 2a01:7e00::f03c:91ff:fef1:6735
|
|
|
|
a IN A 139.162.196.78
|
|
IN AAAA 2a01:7e00::f03c:91ff:fef1:6735
|
|
www IN CNAME a`
|