From 5e8895ce1fa06f5a62d788a3b222c52ef36c5e25 Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Tue, 25 Oct 2016 17:24:25 +0200 Subject: [PATCH] Add test for #4466 --- .../recursortests.py | 22 +++++++++++++++++-- .../test_Interop.py | 15 +++++++++++++ 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/regression-tests.recursor-dnssec/recursortests.py b/regression-tests.recursor-dnssec/recursortests.py index 2f240b35d..d7081a5bb 100644 --- a/regression-tests.recursor-dnssec/recursortests.py +++ b/regression-tests.recursor-dnssec/recursortests.py @@ -79,6 +79,10 @@ secure.example. 3600 IN NS ns.secure.example. secure.example. 3600 IN DS 64723 13 1 53eb985040d3a89bacf29dbddb55a65834706f33 ns.secure.example. 3600 IN A {prefix}.9 +cname-secure.example. 3600 IN NS ns.cname-secure.example. +cname-secure.example. 3600 IN DS 49148 13 1 a10314452d5ec4d97fcc6d7e275d217261fe790f +ns.cname-secure.example. 3600 IN A {prefix}.15 + bogus.example. 3600 IN NS ns.bogus.example. bogus.example. 3600 IN DS 65034 13 1 6df3bb50ea538e90eacdd7ae5419730783abb0ee ns.bogus.example. 3600 IN A {prefix}.12 @@ -101,6 +105,8 @@ secure.example. 3600 IN SOA {soa} secure.example. 3600 IN NS ns.secure.example. ns.secure.example. 3600 IN A {prefix}.9 +secure.example. 3600 IN A 192.0.2.17 + host1.secure.example. 3600 IN A 192.0.2.2 cname.secure.example. 3600 IN CNAME host1.secure.example. cname-to-insecure.secure.example. 3600 IN CNAME node1.insecure.example. @@ -120,6 +126,12 @@ insecure.sub2.secure.example. 3600 IN NS ns1.insecure.example. *.cnamewildcardnxdomain.secure.example. 3600 IN CNAME doesntexist.secure.example. cname-to-formerr.secure.example. 3600 IN CNAME host1.insecure-formerr.example. + """, + 'cname-secure.example': """ +cname-secure.example. 3600 IN SOA {soa} +cname-secure.example. 3600 IN NS ns.cname-secure.example. +ns.cname-secure.example. 3600 IN A {prefix}.15 +cname-secure.example. 3600 IN CNAME secure.example. """, 'bogus.example': """ bogus.example. 3600 IN SOA {soa} @@ -233,7 +245,13 @@ PrivateKey: xcNUxt1Knj14A00lKQFDboluiJyM2f7FxpgsQaQ3AQ4= Private-key-format: v1.2 Algorithm: 13 (ECDSAP256SHA256) PrivateKey: o9F5iix8V68tnMcuOaM2Lt8XXhIIY//SgHIHEePk6cM= - """ + """, + + 'cname-secure.example': """ +Private-key-format: v1.2 +Algorithm: 13 (ECDSAP256SHA256) +PrivateKey: kvoV/g4IO/tefSro+FLJ5UC7H3BUf0IUtZQSUOfQGyA= +""" } # This dict is keyed with the suffix of the IP address and its value @@ -247,7 +265,7 @@ PrivateKey: o9F5iix8V68tnMcuOaM2Lt8XXhIIY//SgHIHEePk6cM= '12': ['bogus.example', 'undelegated.secure.example', 'undelegated.insecure.example'], '13': ['insecure.example', 'insecure.sub2.secure.example'], '14': ['optout.example'], - '15': ['insecure.optout.example', 'secure.optout.example'] + '15': ['insecure.optout.example', 'secure.optout.example', 'cname-secure.example'] } _auth_cmd = ['authbind', diff --git a/regression-tests.recursor-dnssec/test_Interop.py b/regression-tests.recursor-dnssec/test_Interop.py index 963593451..8d1eec2f8 100644 --- a/regression-tests.recursor-dnssec/test_Interop.py +++ b/regression-tests.recursor-dnssec/test_Interop.py @@ -105,6 +105,21 @@ forward-zones+=undelegated.insecure.example=%s.12 self.assertRcodeEqual(res, dns.rcode.NXDOMAIN) self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO']) + def testBothSecureCNAMEAtApex(self): + """ + #4466: a CNAME at the apex of a secure domain to another secure domain made us use the wrong DNSKEY to validate + """ + query = dns.message.make_query('cname-secure.example.', 'A') + query.flags |= dns.flags.AD + + res = self.sendUDPQuery(query) + expectedCNAME = dns.rrset.from_text('cname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'secure.example.') + expectedA = dns.rrset.from_text('secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.17') + + self.assertRRsetInAnswer(res, expectedA) + self.assertRRsetInAnswer(res, expectedCNAME) + self.assertRcodeEqual(res, dns.rcode.NOERROR) + self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO']) @classmethod def startResponders(cls): -- 2.40.0