Commit a59d687d authored by Mark Andrews's avatar Mark Andrews
Browse files

4778. [test] Improve synth-from-dnssec testing. [RT #46352]

parent 89636d8f
4778. [test] Improve synth-from-dnssec testing. [RT #46352]
4777. [cleanup] Removed a redundant call to configure_view_acl().
[RT #46369]
 
......
/*
* Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
// NS4
controls { /* empty */ };
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
notify no;
dnssec-enable yes;
dnssec-validation yes;
synth-from-dnssec no;
};
zone "." {
type hint;
file "root.hints";
};
include "../ns1/trusted.conf";
// include "../../common/controls.conf";
; Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
. NS ns1
ns1 A 10.53.0.1
/*
* Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
// NS5
controls { /* empty */ };
options {
query-source address 10.53.0.5;
notify-source 10.53.0.5;
transfer-source 10.53.0.5;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
notify no;
dnssec-enable yes;
dnssec-validation yes;
synth-from-dnssec yes;
};
zone "." {
type hint;
file "root.hints";
};
include "../ns1/trusted.conf";
; Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
. NS ns1
ns1 A 10.53.0.1
......@@ -17,49 +17,58 @@ rm -f dig.out.*
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
DELVOPTS="-a ns1/trusted.conf -p 5300"
echo "I:prime negative NXDOMAIN response ($n)"
ret=0
$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
grep "status: NXDOMAIN," dig.out.ns2.test$n > /dev/null || ret=1
grep "example.*3600.IN.SOA" dig.out.ns2.test$n > /dev/null || ret=1
nxdomain=dig.out.ns2.test$n
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:prime negative NODATA response ($n)"
ret=0
$DIG $DIGOPTS nodata.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1
grep "example.*3600.IN.SOA" dig.out.ns2.test$n > /dev/null || ret=1
nodata=dig.out.ns2.test$n
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:prime wildcard response ($n)"
ret=0
$DIG $DIGOPTS a.wild-a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1
grep "a.wild-a.example.*3600.IN.A" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:prime wildcard CNAME response ($n)"
ret=0
$DIG $DIGOPTS a.wild-cname.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1
grep "a.wild-cname.example.*3600.IN.CNAME" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:prime redirect response (+nodnssec) ($n)"
for ns in 2 4 5
do
case $ns in
2) description="<default>";;
4) description="no";;
5) description="yes";;
*) exit 1;;
esac
echo "I:prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
ret=0
$DIG $DIGOPTS a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "status: NXDOMAIN," dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
[ $ns -eq ${ns} ] && nxdomain=dig.out.ns${ns}.test$n
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:prime negative NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
$DIG $DIGOPTS nodata.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
[ $ns -eq 2 ] && nodata=dig.out.ns${ns}.test$n
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:prime wildcard response (synth-from-dnssec ${description};) ($n)"
ret=0
$DIG $DIGOPTS a.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "a.wild-a.example.*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:prime wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
ret=0
$DIG $DIGOPTS a.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "a.wild-cname.example.*3600.IN.CNAME" dig.out.ns${ns}.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
done
echo "I:prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
ret=0
$DIG $DIGOPTS +nodnssec a.redirect. @10.53.0.3 a > dig.out.ns2.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null && ret=1
......@@ -69,54 +78,88 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
#
# ensure TTL of synthesised answers differs from direct answers.
#
sleep 1
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 dumpdb
echo "I:check synthesized NXDOMAIN response ($n)"
ret=0
$DIG $DIGOPTS b.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
grep "status: NXDOMAIN," dig.out.ns2.test$n > /dev/null || ret=1
grep "example.*3600.IN.SOA" dig.out.ns2.test$n > /dev/null && ret=1
$PERL ../digcomp.pl $nxdomain dig.out.ns2.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check synthesized NODATA response ($n)"
ret=0
$DIG $DIGOPTS nodata.example. @10.53.0.2 aaaa > dig.out.ns2.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1
grep "example.*3600.IN.SOA" dig.out.ns2.test$n > /dev/null && ret=1
$PERL ../digcomp.pl $nodata dig.out.ns2.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check synthesized wildcard response ($n)"
ret=0
$DIG $DIGOPTS b.wild-a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1
grep "b\.wild-a\.example\..*3600.IN.A" dig.out.ns2.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check synthesized wildcard CNAME response ($n)"
ret=0
$DIG $DIGOPTS b.wild-cname.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.ns2.test$n > /dev/null || ret=1
grep "b.wild-cname.example.*3600.IN.CNAME" dig.out.ns2.test$n > /dev/null && ret=1
grep "ns1.example.*.IN.A" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check redirect response (+dnssec) ($n)"
for ns in 2 4 5
do
case $ns in
2) synth=yes description="<default>";;
4) synth=no description="no";;
5) synth=yes description="yes";;
*) exit 1;;
esac
echo "I:check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
ret=0
$DIG $DIGOPTS b.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "status: NXDOMAIN," dig.out.ns${ns}.test$n > /dev/null || ret=1
if [ ${synth} = yes ]
then
grep "example.*IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null && ret=1
else
grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
fi
$PERL ../digcomp.pl $nxdomain dig.out.ns${ns}.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check synthesized NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
$DIG $DIGOPTS nodata.example. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
if [ ${synth} = yes ]
then
grep "example.*IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null && ret=1
else
grep "example.*3600.IN.SOA" dig.out.ns${ns}.test$n > /dev/null || ret=1
fi
$PERL ../digcomp.pl $nodata dig.out.ns${ns}.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check synthesized wildcard response (synth-from-dnssec ${description};) ($n)"
ret=0
$DIG $DIGOPTS b.wild-a.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
if [ ${synth} = yes ]
then
grep "b\.wild-a\.example\..*IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "b\.wild-a\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null && ret=1
else
grep "b\.wild-a\.example\..*3600.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
fi
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check synthesized wildcard CNAME response (synth-from-dnssec ${description};) ($n)"
ret=0
$DIG $DIGOPTS b.wild-cname.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "status: NOERROR," dig.out.ns${ns}.test$n > /dev/null || ret=1
if [ ${synth} = yes ]
then
grep "b.wild-cname.example.*IN.CNAME" dig.out.ns${ns}.test$n > /dev/null || ret=1
grep "b.wild-cname.example.*3600.IN.CNAME" dig.out.ns${ns}.test$n > /dev/null && ret=1
else
grep "b.wild-cname.example.*3600.IN.CNAME" dig.out.ns${ns}.test$n > /dev/null || ret=1
fi
grep "ns1.example.*.IN.A" dig.out.ns${ns}.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
done
echo "I:check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"
ret=0
$DIG $DIGOPTS b.redirect. @10.53.0.3 a > dig.out.ns2.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null || ret=1
......@@ -126,7 +169,7 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check redirect response (+nodnssec) ($n)"
echo "I:check redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
ret=0
$DIG $DIGOPTS +nodnssec b.redirect. @10.53.0.3 a > dig.out.ns2.test$n || ret=1
grep "flags:[^;]* ad[ ;]" dig.out.ns2.test$n > /dev/null && ret=1
......
......@@ -8338,6 +8338,38 @@ log_noexistnodata(void *val, int level, const char *fmt, ...) {
va_end(ap);
}
static dns_ttl_t
query_synthttl(dns_rdataset_t *soardataset, dns_rdataset_t *sigsoardataset,
dns_rdataset_t *p1rdataset, dns_rdataset_t *sigp1rdataset,
dns_rdataset_t *p2rdataset, dns_rdataset_t *sigp2rdataset)
{
dns_rdata_soa_t soa;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_ttl_t ttl;
isc_result_t result;
REQUIRE(soardataset != NULL);
REQUIRE(sigsoardataset != NULL);
REQUIRE(p1rdataset != NULL);
REQUIRE(sigp1rdataset != NULL);
result = dns_rdataset_first(soardataset);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
dns_rdataset_current(soardataset, &rdata);
dns_rdata_tostruct(&rdata, &soa, NULL);
ttl = ISC_MIN(soa.minimum, soardataset->ttl);
ttl = ISC_MIN(ttl, sigsoardataset->ttl);
ttl = ISC_MIN(ttl, p1rdataset->ttl);
ttl = ISC_MIN(ttl, sigp1rdataset->ttl);
if (p2rdataset != NULL)
ttl = ISC_MIN(ttl, p2rdataset->ttl);
if (sigp2rdataset != NULL)
ttl = ISC_MIN(ttl, sigp2rdataset->ttl);
return (ttl);
}
/*
* Synthesize a NODATA response from the SOA and covering NSEC in cache.
*/
......@@ -8354,10 +8386,9 @@ query_synthnodata(query_ctx_t *qctx, const dns_name_t *signer,
/*
* Detemine the correct TTL to use for the SOA and RRSIG
*/
ttl = ISC_MIN(qctx->rdataset->ttl, qctx->sigrdataset->ttl);
ttl = ISC_MIN(ttl, (*soardatasetp)->ttl);
ttl = ISC_MIN(ttl, (*sigsoardatasetp)->ttl);
ttl = query_synthttl(*soardatasetp, *sigsoardatasetp,
qctx->rdataset, qctx->sigrdataset,
NULL, NULL);
(*soardatasetp)->ttl = (*sigsoardatasetp)->ttl = ttl;
/*
......@@ -8559,15 +8590,15 @@ query_synthcnamewildcard(query_ctx_t *qctx, dns_rdataset_t *rdataset,
/*
* Synthesize a NXDOMAIN response from qctx (which contains the
* NODATA proof), nowild + rdataset + sigrdataset (which contains
* the NOWILDCARD proof) and signer + soardatasetp + sigsoardatasetp
* NODATA proof), nowild + nowildrdataset + signowildrdataset (which
* contains the NOWILDCARD proof) and signer + soardatasetp + sigsoardatasetp
* which contain the SOA record + RRSIG for the negative answer.
*/
static isc_result_t
query_synthnxdomain(query_ctx_t *qctx,
dns_name_t *nowild,
dns_rdataset_t *rdataset,
dns_rdataset_t *sigrdataset,
dns_rdataset_t *nowildrdataset,
dns_rdataset_t *signowildrdataset,
dns_name_t *signer,
dns_rdataset_t **soardatasetp,
dns_rdataset_t **sigsoardatasetp)
......@@ -8581,12 +8612,9 @@ query_synthnxdomain(query_ctx_t *qctx,
/*
* Detemine the correct TTL to use for the SOA and RRSIG
*/
ttl = ISC_MIN(qctx->rdataset->ttl, qctx->sigrdataset->ttl);
ttl = ISC_MIN(ttl, rdataset->ttl);
ttl = ISC_MIN(ttl, sigrdataset->ttl);
ttl = ISC_MIN(ttl, (*soardatasetp)->ttl);
ttl = ISC_MIN(ttl, (*sigsoardatasetp)->ttl);
ttl = query_synthttl(*soardatasetp, *sigsoardatasetp,
qctx->rdataset, qctx->sigrdataset,
nowildrdataset, signowildrdataset);
(*soardatasetp)->ttl = (*sigsoardatasetp)->ttl = ttl;
/*
......@@ -8651,8 +8679,8 @@ query_synthnxdomain(query_ctx_t *qctx,
goto cleanup;
}
dns_rdataset_clone(rdataset, clone);
dns_rdataset_clone(sigrdataset, sigclone);
dns_rdataset_clone(nowildrdataset, clone);
dns_rdataset_clone(signowildrdataset, sigclone);
/*
* Add NOWILDCARD proof.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment