auto luaconfsCopy = g_luaconfs.getCopy();
luaconfsCopy.dsAnchors.clear();
luaconfsCopy.dsAnchors[g_rootdnsname].insert(drc);
- cerr<<"inserted DS for root with tag "<<drc.d_tag<<" and algo "<<drc.d_algorithm<<endl;
g_luaconfs.setState(luaconfsCopy);
size_t queriesCount = 0;
BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1);
BOOST_CHECK(ret[0].d_type == QType::A);
- /* only 5 because no DNSKEY query for powerdns.com (insecure) */
- BOOST_CHECK_EQUAL(queriesCount, 5);
+ /* only 4 because no DS query for powerdns.com (DS denial in referral), and then no DNSKEY query either (insecure) */
+ BOOST_CHECK_EQUAL(queriesCount, 4);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1);
BOOST_CHECK(ret[0].d_type == QType::A);
- BOOST_CHECK_EQUAL(queriesCount, 5);
+ BOOST_CHECK_EQUAL(queriesCount, 4);
}
BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_nodata) {
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1);
- /* only 5 because no DNSKEY query for powerdns.com (insecure) */
- BOOST_CHECK_EQUAL(queriesCount, 5);
+ /* same as above */
+ BOOST_CHECK_EQUAL(queriesCount, 4);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1);
- BOOST_CHECK_EQUAL(queriesCount, 5);
+ BOOST_CHECK_EQUAL(queriesCount, 4);
}
BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname) {
std::unique_ptr<SyncRes> sr;
- initSR(sr, true, true);
+ initSR(sr, true);
g_dnssecmode = DNSSECMode::ValidateAll;
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 3);
- BOOST_CHECK_EQUAL(queriesCount, 9);
+ BOOST_CHECK_EQUAL(queriesCount, 8);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 3);
- BOOST_CHECK_EQUAL(queriesCount, 9);
+ BOOST_CHECK_EQUAL(queriesCount, 8);
}
BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta) {
/* We got a RRSIG */
BOOST_REQUIRE_EQUAL(ret.size(), 2);
BOOST_CHECK(ret[0].d_type == QType::A);
- /* only 5 because no DNSKEY query for com (insecure) */
- BOOST_CHECK_EQUAL(queriesCount, 5);
+ /* only 4 because no DNSKEY query for com (insecure) */
+ BOOST_CHECK_EQUAL(queriesCount, 4);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2);
BOOST_CHECK(ret[0].d_type == QType::A);
- BOOST_CHECK_EQUAL(queriesCount, 5);
+ BOOST_CHECK_EQUAL(queriesCount, 4);
}
BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta_norrsig) {
/* No RRSIG */
BOOST_REQUIRE_EQUAL(ret.size(), 1);
BOOST_CHECK(ret[0].d_type == QType::A);
- /* only 4 because no DNSKEY query for com (insecure) and no RRSIG meaning no DNSKEY for powerdns.com */
- BOOST_CHECK_EQUAL(queriesCount, 4);
+ /* only 3 because no DNSKEY query for com (insecure) and no RRSIG meaning no DNSKEY for powerdns.com */
+ BOOST_CHECK_EQUAL(queriesCount, 3);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
BOOST_REQUIRE_EQUAL(ret.size(), 1);
BOOST_CHECK(ret[0].d_type == QType::A);
- BOOST_CHECK_EQUAL(queriesCount, 4);
+ BOOST_CHECK_EQUAL(queriesCount, 3);
}
#if 0
BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_hidden_cut) {
std::unique_ptr<SyncRes> sr;
- initSR(sr, true, true, true);
+ initSR(sr, true, true);
g_dnssecLOG = true;
g_dnssecmode = DNSSECMode::ValidateAll;
else if (ip == ComboAddress("192.0.2.1:53")) {
setLWResult(res, 0, false, false, true);
addRecordToLW(res, domain, QType::NS, "ns.gov.nl.ca.", DNSResourceRecord::AUTHORITY, 3600);
- /* no DS */
- addNSECRecordToLW(domain, DNSName("gow.nl.ca."), { QType::NS }, 600, res->d_records);
+ /* denial of DS FOR nl.ca while sending a referral for gov.nl.ca !! */
+ addNSECRecordToLW(DNSName("nl.ca"), DNSName("nm.ca."), { QType::NS }, 600, res->d_records);
addRRSIG(keys, res->d_records, DNSName("ca."), 300);
addRecordToLW(res, "ns.gov.nl.ca.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
return 1;
return RCode::NoError;
}
-void SyncRes::getDenialValidationState(NegCache::NegCacheEntry& ne, vState& state, const dState expectedState)
+void SyncRes::getDenialValidationState(NegCache::NegCacheEntry& ne, vState& state, const dState expectedState, bool allowOptOut)
{
ne.d_validationState = state;
cspmap_t csp = harvestCSPFromNE(ne);
dState res = getDenial(csp, ne.d_name, ne.d_qtype.getCode());
if (res != expectedState) {
- if (ne.d_qtype.getCode() == QType::DS && res == OPTOUT) {
- LOG("Invalid denial found for "<<ne.d_name<<", retuning Insecure"<<endl);
- ne.d_validationState = Insecure;
+ if (res == OPTOUT && allowOptOut) {
+ LOG("OPT-out denial found for "<<ne.d_name<<", retuning Insecure"<<endl);
+ ne.d_validationState = Secure;
+ updateValidationState(state, Insecure);
+ return;
}
else {
LOG("Invalid denial found for "<<ne.d_name<<", retuning Bogus"<<endl);
ne.d_qtype = QType(0); // this encodes 'whole record'
ne.d_auth = rec.d_name;
harvestNXRecords(lwr.d_records, ne);
- getDenialValidationState(ne, state, NXDOMAIN);
+ getDenialValidationState(ne, state, NXDOMAIN, false);
t_sstorage.negcache.add(ne);
if(s_rootNXTrust && ne.d_auth.isRoot() && auth.isRoot()) {
ne.d_name = ne.d_name.getLastLabel();
else if(rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::DS && qname.isPartOf(rec.d_name)) {
LOG(prefix<<qname<<": got DS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"'"<<endl);
}
- else if(qtype == QType::DS && (rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3)) {
+ else if(realreferral && rec.d_place==DNSResourceRecord::AUTHORITY && (rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && newauth.isPartOf(auth)) {
/* we might have received a denial of the DS, let's check */
if (state == Secure) {
NegCache::NegCacheEntry ne;
ne.d_auth = auth;
ne.d_ttd = d_now.tv_sec + rec.d_ttl;
- ne.d_name = qname;
- ne.d_qtype = qtype;
+ ne.d_name = newauth;
+ ne.d_qtype = QType::DS;
harvestNXRecords(lwr.d_records, ne);
cspmap_t csp = harvestCSPFromNE(ne);
- dState denialState = getDenial(csp, qname, qtype.getCode());
+ dState denialState = getDenial(csp, newauth, QType::DS);
if (denialState == NXQTYPE || denialState == OPTOUT) {
- LOG(prefix<<qname<<": got negative indication of DS record for '"<<qname<<endl);
+ ne.d_validationState = Secure;
rec.d_ttl = min(s_maxnegttl, rec.d_ttl);
- ret.push_back(rec);
+ LOG(prefix<<qname<<": got negative indication of DS record for '"<<newauth<<endl);
if(!wasVariable()) {
t_sstorage.negcache.add(ne);
}
- negindic = true;
}
}
}
ne.d_name = qname;
ne.d_qtype = qtype;
harvestNXRecords(lwr.d_records, ne);
- getDenialValidationState(ne, state, NXQTYPE);
+ getDenialValidationState(ne, state, NXQTYPE, qtype == QType::DS);
if(qtype.getCode()) { // prevents us from blacking out a whole domain
t_sstorage.negcache.add(ne);
}
projects / pdns / commitdiff