From: Remi Gacogne Date: Mon, 8 Jan 2018 14:43:47 +0000 (+0100) Subject: rec: Add unit tests to make sure we correctly detect an unsigned DS X-Git-Tag: dnsdist-1.3.0~158^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f100caacf6b5fe6624aa3909ad6cb988d7f22148;p=pdns rec: Add unit tests to make sure we correctly detect an unsigned DS --- diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc index c438c6f42..d3e945753 100644 --- a/pdns/recursordist/test-syncres_cc.cc +++ b/pdns/recursordist/test-syncres_cc.cc @@ -4279,6 +4279,144 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_algo) { BOOST_CHECK_EQUAL(queriesCount, 2); } +BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds) { + std::unique_ptr sr; + initSR(sr, true); + + setDNSSECValidation(sr, DNSSECMode::ValidateAll); + + primeHints(); + const DNSName target("com."); + const ComboAddress targetAddr("192.0.2.42"); + testkeysset_t keys; + + auto luaconfsCopy = g_luaconfs.getCopy(); + luaconfsCopy.dsAnchors.clear(); + generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors); + generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); + + g_luaconfs.setState(luaconfsCopy); + + size_t queriesCount = 0; + + sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional& srcmask, boost::optional context, std::shared_ptr outgoingLogger, LWResult* res) { + queriesCount++; + + DNSName auth = domain; + + if (type == QType::DS || type == QType::DNSKEY) { + if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys) == 0) { + return 0; + } + + if (type == QType::DS && domain == target) { + /* remove the last record, which is the DS's RRSIG */ + res->d_records.pop_back(); + } + + return 1; + } + + if (isRootServer(ip)) { + setLWResult(res, 0, false, false, true); + addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); + /* Include the DS but omit the RRSIG*/ + addDS(DNSName("com."), 300, res->d_records, keys); + addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); + return 1; + } + + if (ip == ComboAddress("192.0.2.1:53")) { + setLWResult(res, RCode::NoError, true, false, true); + addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600); + addRRSIG(keys, res->d_records, auth, 300); + return 1; + } + + return 0; + }); + + vector ret; + int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NoError); + BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); + BOOST_REQUIRE_EQUAL(ret.size(), 2); + BOOST_CHECK_EQUAL(queriesCount, 4); + + /* again, to test the cache */ + ret.clear(); + res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NoError); + BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); + BOOST_REQUIRE_EQUAL(ret.size(), 2); + BOOST_CHECK_EQUAL(queriesCount, 4); + + /* now we ask directly for the DS */ + ret.clear(); + res = sr->beginResolve(DNSName("com."), QType(QType::DS), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NoError); + BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); + BOOST_REQUIRE_EQUAL(ret.size(), 1); + BOOST_CHECK_EQUAL(queriesCount, 4); +} + +BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds_direct) { + std::unique_ptr sr; + initSR(sr, true); + + setDNSSECValidation(sr, DNSSECMode::ValidateAll); + + primeHints(); + const DNSName target("com."); + testkeysset_t keys; + + auto luaconfsCopy = g_luaconfs.getCopy(); + luaconfsCopy.dsAnchors.clear(); + generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors); + generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys); + + g_luaconfs.setState(luaconfsCopy); + + size_t queriesCount = 0; + + sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional& srcmask, boost::optional context, std::shared_ptr outgoingLogger, LWResult* res) { + queriesCount++; + + DNSName auth = domain; + + if (type == QType::DS || type == QType::DNSKEY) { + if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys) == 0) { + return 0; + } + + if (type == QType::DS && domain == target) { + /* remove the last record, which is the DS's RRSIG */ + res->d_records.pop_back(); + } + + return 1; + } + + if (isRootServer(ip)) { + setLWResult(res, 0, false, false, true); + addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600); + /* Include the DS but omit the RRSIG*/ + addDS(DNSName("com."), 300, res->d_records, keys); + addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600); + return 1; + } + + return 0; + }); + + vector ret; + int res = sr->beginResolve(DNSName("com."), QType(QType::DS), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NoError); + BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus); + BOOST_REQUIRE_EQUAL(ret.size(), 1); + BOOST_CHECK_EQUAL(queriesCount, 1); +} + BOOST_AUTO_TEST_CASE(test_dnssec_secure_various_algos) { std::unique_ptr sr; initSR(sr, true); @@ -7024,7 +7162,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname) { BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname_glue) { std::unique_ptr sr; - initSR(sr, true, true); + initSR(sr, true); setDNSSECValidation(sr, DNSSECMode::ValidateAll);