From: Remi Gacogne Date: Thu, 11 Apr 2019 13:24:37 +0000 (+0200) Subject: rec: Add a DNSSEC validation unit test for non-expanded wildcards X-Git-Tag: rec-4.2.0-beta1~3^2~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=eb7a2b0bb57a99eabaad99f1814505b766060e6e;p=pdns rec: Add a DNSSEC validation unit test for non-expanded wildcards --- diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc index f31f115e7..af8be9a94 100644 --- a/pdns/recursordist/test-syncres_cc.cc +++ b/pdns/recursordist/test-syncres_cc.cc @@ -6608,6 +6608,56 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_missing) { BOOST_CHECK_EQUAL(queriesCount, 9); } +BOOST_AUTO_TEST_CASE(test_dnssec_validation_non_expanded_wildcard) { + std::unique_ptr sr; + initSR(sr, true, true); + + setDNSSECValidation(sr, DNSSECMode::ValidateAll); + + primeHints(); + const DNSName target("*.powerdns.com."); + testkeysset_t keys; + + auto luaconfsCopy = g_luaconfs.getCopy(); + luaconfsCopy.dsAnchors.clear(); + generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); + generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); + generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); + + g_luaconfs.setState(luaconfsCopy); + + sr->setAsyncCallback([target,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional& srcmask, boost::optional context, LWResult* res, bool* chained) { + + if (type == QType::DS || type == QType::DNSKEY) { + if (domain == target) { + const auto auth = DNSName("powerdns.com."); + /* we don't want a cut there */ + setLWResult(res, 0, true, false, true); + addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); + addRRSIG(keys, res->d_records, auth, 300); + /* add a NSEC denying the DS */ + std::set types = { QType::NSEC }; + addNSECRecordToLW(domain, DNSName("z") + domain, types, 600, res->d_records); + addRRSIG(keys, res->d_records, auth, 300); + return 1; + } + return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); + } + else { + setLWResult(res, 0, true, false, true); + addRecordToLW(res, domain, QType::A, "192.0.2.42"); + addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300, false, boost::none, DNSName("*.powerdns.com")); + return 1; + } + }); + + vector ret; + int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NoError); + BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); + BOOST_REQUIRE_EQUAL(ret.size(), 2); +} + BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_secure) { std::unique_ptr sr; initSR(sr, true);