Commit d1f64eda authored by Jelte Jansen's avatar Jelte Jansen
Browse files

[1696] added all example tests from RFC5155 appendix B

Tweaked querying.py a bit; response section checks are now case-insensitive and order-independent
Found one bug; wildcard response does not appear to include RRSIG in answer section, relevant check commented out for now (i.e. lettuce should currently not produce errors)
parent f6d6f8d9
......@@ -2,7 +2,150 @@ Feature: NSEC3 Authoritative service
This feature tests NSEC3 as defined in RFC5155, using the example
zone from appendix A and testing responses appendix B.
Additional tests can be added as well
# Data is taken directly from RFC5155; with 1 changes:
# inserted whitespace in base64 output where it is inserted by dig
Scenario: B.1. Name Error
Given I have bind10 running with configuration nsec3/nsec3_auth.config
A query for a.c.x.w.example. should have rcode NXDOMAIN
A dnssec query for a.c.x.w.example. should have rcode NXDOMAIN
The last query response should have flags qr aa rd
# TODO: check DO bit?
The last query response should have ancount 0
The last query response should have nscount 8
The last query response should have adcount 1
The authority section of the last query response should be
"""
example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 3600000 3600
example. 3600 IN RRSIG SOA 7 1 3600 20150420235959 20051021000000 40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8iq4ZLlYWfUUbbAS41pG+6 8z81q1xhkYAcEyHdVI2LmKusbZsT0Q==
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. 3600 IN NSEC3 1 1 12 aabbccdd 2t7b4g4vsa5smi47k61mv5bv1a22bojr NS SOA MX RRSIG DNSKEY NSEC3PARAM
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. 3600 IN RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKLIBHYH6blRxK9rC0bMJPw Q4mLIuw85H2EY762BOCXJZMnpuwhpA==
b4um86eghhds6nea196smvmlo4ors995.example. 3600 IN NSEC3 1 1 12 aabbccdd gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG
b4um86eghhds6nea196smvmlo4ors995.example. 3600 IN RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 40430 example. ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh5u4m/CUiwtblEVOaAKKZ d7S959OeiX43aLX3pOv0TSTyiTxIZg==
35mthgpgcu1qg68fab165klnsnk3dpvl.example. 3600 IN NSEC3 1 1 12 aabbccdd b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG
35mthgpgcu1qg68fab165klnsnk3dpvl.example. 3600 IN RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 40430 example. g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQAynzo8EUWH+z6hEIBlUT PGj15eZll6VhQqgZXtAIR3chwgW+SA==
"""
Scenario: B.2. No Data Error
Given I have bind10 running with configuration nsec3/nsec3_auth.config
A dnssec query for ns1.example. type MX should have rcode NOERROR
The last query response should have flags qr aa rd
# TODO: check DO bit?
The last query response should have ancount 0
The last query response should have nscount 4
The last query response should have adcount 1
The authority section of the last query response should be
"""
example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 3600000 3600
example. 3600 IN RRSIG SOA 7 1 3600 20150420235959 20051021000000 40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8iq4ZLlYWfUUbbAS41pG+6 8z81q1xhkYAcEyHdVI2LmKusbZsT0Q==
2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. 3600 IN NSEC3 1 1 12 aabbccdd 2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG
2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. 3600 IN RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 40430 example. OmBvJ1Vgg1hCKMXHFiNeIYHK9XVW0iLDLwJN4TFoNxZuP03gAXEI634Y wOc4YBNITrj413iqNI6mRk/r1dOSUw==
"""
Scenario: B2.1. No Data Error, Empty Non-Terminal
Given I have bind10 running with configuration nsec3/nsec3_auth.config
A dnssec query for y.w.example. should have rcode NOERROR
The last query response should have flags qr aa rd
# TODO: check DO bit?
The last query response should have ancount 0
The last query response should have nscount 4
The last query response should have adcount 1
The authority section of the last query response should be
"""
example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 3600000 3600
example. 3600 IN RRSIG SOA 7 1 3600 20150420235959 20051021000000 40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8iq4ZLlYWfUUbbAS41pG+6 8z81q1xhkYAcEyHdVI2LmKusbZsT0Q==
ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. 3600 IN NSEC3 1 1 12 aabbccdd k8udemvp1j2f7eg6jebps17vp3n8i58h
ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. 3600 IN RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 40430 example. gPkFp1s2QDQ6wQzcg1uSebZ61W33rUBDcTj72F3kQ490fEdp7k1BUIfb cZtPbX3YCpE+sIt0MpzVSKfTwx4uYA==
"""
Scenario: B.3. Referral to an Opt-Out Unsigned Zone
Given I have bind10 running with configuration nsec3/nsec3_auth.config
A dnssec query for mc.c.example. type MX should have rcode NOERROR
The last query response should have flags qr rd
# TODO: check DO bit?
The last query response should have ancount 0
The last query response should have nscount 6
The last query response should have adcount 3
The authority section of the last query response should be
"""
c.example. 3600 IN NS ns1.c.example.
c.example. 3600 IN NS ns2.c.example.
35mthgpgcu1qg68fab165klnsnk3dpvl.example. 3600 IN NSEC3 1 1 12 aabbccdd b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG
35mthgpgcu1qg68fab165klnsnk3dpvl.example. 3600 IN RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 40430 example. g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQAynzo8EUWH+z6hEIBlUT PGj15eZll6VhQqgZXtAIR3chwgW+SA==
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. 3600 IN NSEC3 1 1 12 aabbccdd 2t7b4g4vsa5smi47k61mv5bv1a22bojr NS SOA MX RRSIG DNSKEY NSEC3PARAM
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. 3600 IN RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKLIBHYH6blRxK9rC0bMJPw Q4mLIuw85H2EY762BOCXJZMnpuwhpA==
"""
The additional section of the last query response should be
"""
ns1.c.example. 3600 IN A 192.0.2.7
ns2.c.example. 3600 IN A 192.0.2.8
"""
Scenario: B.4. Wildcard Expansion
Given I have bind10 running with configuration nsec3/nsec3_auth.config
A dnssec query for a.z.w.example. type MX should have rcode NOERROR
The last query response should have flags qr aa rd
# TODO: check DO bit?
# BUG: NO RRSIG IN WILDCARD RESPONSE!!!
#The last query response should have ancount 2
The last query response should have nscount 5
The last query response should have adcount 9
#The answer section of the last query response should be
#"""
#a.z.w.example. 3600 IN MX 1 ai.example.
#a.z.w.example. 3600 IN RRSIG MX 7 2 3600 20150420235959 20051021000000 40430 example. CikebjQwGQPwijVcxgcZcSJKtfynugtlBiKb9FcBTrmOoyQ4InoWVudh CWsh/URX3lc4WRUMivEBP6+4KS3ldA==
#"""
The authority section of the last query response should be
"""
example. 3600 IN NS ns1.example.
example. 3600 IN NS ns2.example.
example. 3600 IN RRSIG NS 7 1 3600 20150420235959 20051021000000 40430 example. PVOgtMK1HHeSTau+HwDWC8Ts+6C8qtqd4pQJqOtdEVgg+MA+ai4fWDEh u3qHJyLcQ9tbD2vvCnMXjtz6SyObxA==
q04jkcevqvmu85r014c7dkba38o0ji5r.example. 3600 IN NSEC3 1 1 12 aabbccdd r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG
q04jkcevqvmu85r014c7dkba38o0ji5r.example. 3600 IN RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 40430 example. hV5I89b+4FHJDATp09g4bbN0R1F845CaXpL3ZxlMKimoPAyqletMlEWw LfFia7sdpSzn+ZlNNlkxWcLsIlMmUg==
"""
# This is slightly different from the example in RFC5155
The additional section of the last query response should be
"""
ai.example. 3600 IN A 192.0.2.9
ai.example. 3600 IN AAAA 2001:db8::f00:baa9
ns1.example. 3600 IN A 192.0.2.1
ns2.example. 3600 IN A 192.0.2.2
ai.example. 3600 IN RRSIG A 7 2 3600 20150420235959 20051021000000 40430 example. hVe+wKYMlObTRPhX0NL67GxeZfdxqr/QeR6FtfdAj5+FgYxyzPEjIzvK Wy00hWIl6wD3Vws+rznEn8sQ64UdqA==
ai.example. 3600 IN RRSIG AAAA 7 2 3600 20150420235959 20051021000000 40430 example. LcdxKaCB5bGZwPDg+3JJ4O02zoMBrjxqlf6WuaHQZZfTUpb9Nf2nxFGe 2XRPfR5tpJT6GdRGcHueLuXkMjBArQ==
ns1.example. 3600 IN RRSIG A 7 2 3600 20150420235959 20051021000000 40430 example. bu6kx73n6XEunoVGuRfAgY7EF/AJqHy7hj0jkiqJjB0dOrx3wuz9SaBe GfqWIdn/uta3SavN4FRvZR9SCFHF5Q==
ns2.example. 3600 IN RRSIG A 7 2 3600 20150420235959 20051021000000 40430 example. ktQ3TqE0CfRfki0Rb/Ip5BM0VnxelbuejCC4zpLbFKA/7eD7UNAwxMgx JPtbdST+syjYSJaj4IHfeX6n8vfoGA==
"""
Scenario: B.5. Wildcard No Data Error
Given I have bind10 running with configuration nsec3/nsec3_auth.config
A dnssec query for a.z.w.example. type AAAA should have rcode NOERROR
The last query response should have flags qr aa rd
The last query response should have ancount 0
The last query response should have nscount 8
The last query response should have adcount 1
The authority section of the last query response should be
"""
example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 3600000 3600
example. 3600 IN RRSIG SOA 7 1 3600 20150420235959 20051021000000 40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8iq4ZLlYWfUUbbAS41pG+6 8z81q1xhkYAcEyHdVI2LmKusbZsT0Q==
k8udemvp1j2f7eg6jebps17vp3n8i58h.example. 3600 IN NSEC3 1 1 12 aabbccdd kohar7mbb8dc2ce8a9qvl8hon4k53uhi
k8udemvp1j2f7eg6jebps17vp3n8i58h.example. 3600 IN RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 40430 example. FtXGbvF0+wf8iWkyo73enAuVx03klN+pILBKS6qCcftVtfH4yVzsEZqu J27NHR7ruxJWDNMtOtx7w9WfcIg62A==
q04jkcevqvmu85r014c7dkba38o0ji5r.example. 3600 IN NSEC3 1 1 12 aabbccdd r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG
q04jkcevqvmu85r014c7dkba38o0ji5r.example. 3600 IN RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 40430 example. hV5I89b+4FHJDATp09g4bbN0R1F845CaXpL3ZxlMKimoPAyqletMlEWw LfFia7sdpSzn+ZlNNlkxWcLsIlMmUg==
r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. 3600 IN NSEC3 1 1 12 aabbccdd t644ebqk9bibcna874givr6joj62mlhv MX RRSIG
r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. 3600 IN RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 40430 example. aupviViruXs4bDg9rCbezzBMf9h1ZlDvbW/CZFKulIGXXLj8B/fsDJar XVDA9bnUoRhEbKp+HF1FWKW7RIJdtQ==
"""
Scenario: B.6. DS Child Zone No Data Error
Given I have bind10 running with configuration nsec3/nsec3_auth.config
A dnssec query for example. type DS should have rcode NOERROR
The last query response should have flags qr aa rd
The last query response should have ancount 0
The last query response should have nscount 4
The last query response should have adcount 1
The authority section of the last query response should be
"""
example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 3600000 3600
example. 3600 IN RRSIG SOA 7 1 3600 20150420235959 20051021000000 40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8iq4ZLlYWfUUbbAS41pG+6 8z81q1xhkYAcEyHdVI2LmKusbZsT0Q==
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. 3600 IN NSEC3 1 1 12 aabbccdd 2t7b4g4vsa5smi47k61mv5bv1a22bojr NS SOA MX RRSIG DNSKEY NSEC3PARAM
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. 3600 IN RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKLIBHYH6blRxK9rC0bMJPw Q4mLIuw85H2EY762BOCXJZMnpuwhpA==
"""
......@@ -58,7 +58,8 @@ class QueryResult(object):
flags_re = re.compile("flags: ([a-z ]+); QUERY: ([0-9]+), ANSWER: " +
"([0-9]+), AUTHORITY: ([0-9]+), ADDITIONAL: ([0-9]+)")
def __init__(self, name, qtype, qclass, address, port):
def __init__(self, name, qtype, qclass, address, port,
additional_args = None):
"""
Constructor. This fires of a query using dig.
Parameters:
......@@ -67,6 +68,7 @@ class QueryResult(object):
qclass: The RR class to query. Defaults to IN if it is None.
address: The IP adress to send the query to.
port: The port number to send the query to.
additional_args: List of additional arguments
All parameters must be either strings or have the correct string
representation.
Only one query attempt will be made.
......@@ -78,6 +80,8 @@ class QueryResult(object):
if qclass is not None:
args.append('-c')
args.append(str(qclass))
if additional_args is not None:
args.extend(additional_args)
args.append(name)
dig_process = subprocess.Popen(args, 1, None, None, subprocess.PIPE,
None)
......@@ -179,9 +183,9 @@ class QueryResult(object):
"""
pass
@step('A query for ([\w.-]+) (?:type ([A-Z0-9]+) )?(?:class ([A-Z]+) )?' +
@step('A (dnssec )?query for ([\w.-]+) (?:type ([A-Z0-9]+) )?(?:class ([A-Z]+) )?' +
'(?:to ([^:]+)(?::([0-9]+))? )?should have rcode ([\w.]+)')
def query(step, query_name, qtype, qclass, addr, port, rcode):
def query(step, dnssec, query_name, qtype, qclass, addr, port, rcode):
"""
Run a query, check the rcode of the response, and store the query
result in world.last_query_result.
......@@ -203,7 +207,10 @@ def query(step, query_name, qtype, qclass, addr, port, rcode):
addr = "127.0.0.1"
if port is None:
port = 47806
query_result = QueryResult(query_name, qtype, qclass, addr, port)
additional_arguments = []
if dnssec is not None:
additional_arguments.append("+dnssec")
query_result = QueryResult(query_name, qtype, qclass, addr, port, additional_arguments)
assert query_result.rcode == rcode,\
"Expected: " + rcode + ", got " + query_result.rcode
world.last_query_result = query_result
......@@ -257,6 +264,7 @@ def check_last_query_section(step, section):
The expected response is taken from the multiline part of the step in the
scenario. Differing whitespace is ignored, but currently the order is
significant.
The comparison is case insensitive.
Fails if they do not match.
"""
response_string = None
......@@ -265,15 +273,32 @@ def check_last_query_section(step, section):
elif section.lower() == 'answer':
response_string = "\n".join(world.last_query_result.answer_section)
elif section.lower() == 'authority':
response_string = "\n".join(world.last_query_result.answer_section)
response_string = "\n".join(world.last_query_result.authority_section)
elif section.lower() == 'additional':
response_string = "\n".join(world.last_query_result.answer_section)
response_string = "\n".join(world.last_query_result.additional_section)
else:
assert False, "Unknown section " + section
# Now mangle the data for 'conformance'
# This could be done more efficiently, but is done one
# by one on a copy of the original data, so it is clear
# what is done. Final error output is currently still the
# original unchanged multiline strings
# replace whitespace of any length by one space
response_string = re.sub("[ \t]+", " ", response_string)
expect = re.sub("[ \t]+", " ", step.multiline)
# lowercase them
response_string = response_string.lower()
expect = expect.lower()
# sort them
response_string_parts = response_string.split("\n")
response_string_parts.sort()
response_string = "\n".join(response_string_parts)
expect_parts = expect.split("\n")
expect_parts.sort()
expect = "\n".join(expect_parts)
assert response_string.strip() == expect.strip(),\
"Got:\n'" + response_string + "'\nExpected:\n'" + step.multiline +"'"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment