devuan
/
pdns-recursor
10
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 20 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
499 Commits
1 Branch
7.9 MiB
 
 
 
 
 
 
Branch: suites/unstable
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'suites/unstable'
${ noResults }
pdns-recursor/test-syncres_cc7.cc

1460 lines
61 KiB
Raw Permalink Blame History 

  1. #define BOOST_TEST_DYN_LINK

  2. #include <boost/test/unit_test.hpp>

  3. 

  4. #include "test-syncres_cc.hh"

  5. 

  6. BOOST_AUTO_TEST_SUITE(syncres_cc7)

  7. 

  8. BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_ta_skipped_cut)

  9. {

  10.   std::unique_ptr<SyncRes> sr;

  11.   initSR(sr, true);

  12. 

  13.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  14. 

  15.   primeHints();

  16.   const DNSName target("www.sub.powerdns.com.");

  17.   const ComboAddress targetAddr("192.0.2.42");

  18.   testkeysset_t keys;

  19. 

  20.   auto luaconfsCopy = g_luaconfs.getCopy();

  21.   luaconfsCopy.dsAnchors.clear();

  22.   generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  23.   /* No key material for .com */

  24.   /* But TA for sub.powerdns.com. */

  25.   generateKeyMaterial(DNSName("sub.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  26.   luaconfsCopy.dsAnchors[DNSName("sub.powerdns.com.")].insert(keys[DNSName("sub.powerdns.com.")].second);

  27.   g_luaconfs.setState(luaconfsCopy);

  28. 

  29.   size_t queriesCount = 0;

  30. 

  31.   sr->setAsyncCallback([target, targetAddr, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  32.     queriesCount++;

  33. 

  34.     if (type == QType::DS) {

  35.       if (domain == DNSName("www.sub.powerdns.com")) {

  36.         setLWResult(res, 0, true, false, true);

  37.         addRecordToLW(res, DNSName("sub.powerdns.com"), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  38.         addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300);

  39.         addNSECRecordToLW(DNSName("www.sub.powerdns.com"), DNSName("vww.sub.powerdns.com."), {QType::A}, 600, res->d_records);

  40.         addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300);

  41.       }

  42.       else {

  43.         setLWResult(res, 0, true, false, true);

  44. 

  45.         if (domain == DNSName("com.")) {

  46.           addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  47.           addRRSIG(keys, res->d_records, DNSName("."), 300);

  48.           /* no DS */

  49.           addNSECRecordToLW(DNSName("com."), DNSName("dom."), {QType::NS}, 600, res->d_records);

  50.           addRRSIG(keys, res->d_records, DNSName("."), 300);

  51.         }

  52.         else {

  53.           setLWResult(res, 0, true, false, true);

  54.           addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  55.         }

  56.       }

  57.       return 1;

  58.     }

  59.     else if (type == QType::DNSKEY) {

  60.       if (domain == g_rootdnsname || domain == DNSName("sub.powerdns.com.")) {

  61.         setLWResult(res, 0, true, false, true);

  62.         addDNSKEY(keys, domain, 300, res->d_records);

  63.         addRRSIG(keys, res->d_records, domain, 300);

  64.         return 1;

  65.       }

  66.     }

  67.     else {

  68.       if (isRootServer(ip)) {

  69.         setLWResult(res, 0, false, false, true);

  70.         addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);

  71.         /* no DS */

  72.         addNSECRecordToLW(DNSName("com."), DNSName("dom."), {QType::NS}, 600, res->d_records);

  73.         addRRSIG(keys, res->d_records, DNSName("."), 300);

  74.         addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  75.         return 1;

  76.       }

  77.       else if (ip == ComboAddress("192.0.2.1:53")) {

  78.         if (domain == DNSName("com.")) {

  79.           setLWResult(res, 0, true, false, true);

  80.           addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com.");

  81.           addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  82.         }

  83.         else if (domain.isPartOf(DNSName("powerdns.com."))) {

  84.           setLWResult(res, 0, false, false, true);

  85.           addRecordToLW(res, DNSName("powerdns.com."), QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);

  86.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  87.         }

  88.         return 1;

  89.       }

  90.       else if (ip == ComboAddress("192.0.2.2:53")) {

  91.         setLWResult(res, 0, true, false, true);

  92.         if (type == QType::NS) {

  93.           if (domain == DNSName("www.sub.powerdns.com.")) {

  94.             addRecordToLW(res, DNSName("sub.powerdns.com"), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  95.             addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300);

  96.             addNSECRecordToLW(DNSName("www.sub.powerdns.com"), DNSName("vww.sub.powerdns.com."), {QType::A}, 600, res->d_records);

  97.             addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300);

  98.           }

  99.           else if (domain == DNSName("sub.powerdns.com.")) {

  100.             addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");

  101.             addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com."), 300);

  102.           }

  103.           else if (domain == DNSName("powerdns.com.")) {

  104.             addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");

  105.           }

  106.         }

  107.         else if (domain == DNSName("www.sub.powerdns.com.")) {

  108.           addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);

  109.           addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com."), 300);

  110.         }

  111.         return 1;

  112.       }

  113.     }

  114. 

  115.     return 0;

  116.   });

  117. 

  118.   vector<DNSRecord> ret;

  119.   int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  120.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  121.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);

  122.   BOOST_REQUIRE_EQUAL(ret.size(), 2U);

  123.   BOOST_CHECK(ret[0].d_type == QType::A);

  124.   BOOST_CHECK_EQUAL(queriesCount, 7U);

  125. 

  126.   /* again, to test the cache */

  127.   ret.clear();

  128.   res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  129.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  130.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);

  131.   BOOST_REQUIRE_EQUAL(ret.size(), 2U);

  132.   BOOST_CHECK(ret[0].d_type == QType::A);

  133.   BOOST_CHECK_EQUAL(queriesCount, 7U);

  134. }

  135. 

  136. BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_nodata)

  137. {

  138.   std::unique_ptr<SyncRes> sr;

  139.   initSR(sr, true);

  140. 

  141.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  142. 

  143.   primeHints();

  144.   const DNSName target("powerdns.com.");

  145.   testkeysset_t keys;

  146. 

  147.   auto luaconfsCopy = g_luaconfs.getCopy();

  148.   luaconfsCopy.dsAnchors.clear();

  149.   generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  150.   generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  151. 

  152.   g_luaconfs.setState(luaconfsCopy);

  153. 

  154.   size_t queriesCount = 0;

  155. 

  156.   sr->setAsyncCallback([target, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  157.     queriesCount++;

  158. 

  159.     if (type == QType::DS) {

  160.       if (domain == target) {

  161.         setLWResult(res, 0, true, false, true);

  162.         addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  163.         addRRSIG(keys, res->d_records, DNSName("com."), 300);

  164.         addNSECRecordToLW(domain, DNSName("z.powerdns.com."), {QType::NS}, 600, res->d_records);

  165.         addRRSIG(keys, res->d_records, DNSName("com."), 300);

  166.         return 1;

  167.       }

  168.       else {

  169.         return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);

  170.       }

  171.     }

  172.     else if (type == QType::DNSKEY) {

  173.       if (domain == g_rootdnsname || domain == DNSName("com.")) {

  174.         setLWResult(res, 0, true, false, true);

  175.         addDNSKEY(keys, domain, 300, res->d_records);

  176.         addRRSIG(keys, res->d_records, domain, 300);

  177.         return 1;

  178.       }

  179.       else {

  180.         setLWResult(res, 0, true, false, true);

  181.         addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  182.         return 1;

  183.       }

  184.     }

  185.     else {

  186.       if (isRootServer(ip)) {

  187.         setLWResult(res, 0, false, false, true);

  188.         addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);

  189.         addDS(DNSName("com."), 300, res->d_records, keys);

  190.         addRRSIG(keys, res->d_records, DNSName("."), 300);

  191.         addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  192.         return 1;

  193.       }

  194.       else if (ip == ComboAddress("192.0.2.1:53")) {

  195.         if (domain == DNSName("com.")) {

  196.           setLWResult(res, 0, true, false, true);

  197.           addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");

  198.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  199.           addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  200.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  201.         }

  202.         else {

  203.           setLWResult(res, 0, false, false, true);

  204.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);

  205.           /* no DS */

  206.           addNSECRecordToLW(domain, DNSName("z.powerdns.com."), {QType::NS}, 600, res->d_records);

  207.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  208.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  209.         }

  210.         return 1;

  211.       }

  212.       else if (ip == ComboAddress("192.0.2.2:53")) {

  213.         if (type == QType::NS) {

  214.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");

  215.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  216.         }

  217.         else {

  218.           setLWResult(res, 0, true, false, true);

  219.           addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  220.         }

  221.         return 1;

  222.       }

  223.     }

  224. 

  225.     return 0;

  226.   });

  227. 

  228.   vector<DNSRecord> ret;

  229.   int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  230.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  231.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);

  232.   BOOST_REQUIRE_EQUAL(ret.size(), 1U);

  233.   /* 4 NS (com from root, com from com, powerdns.com from com,

  234.      powerdns.com from powerdns.com)

  235.      2 DNSKEY (. and com., none for powerdns.com because no DS)

  236.      1 query for A

  237.   */

  238.   BOOST_CHECK_EQUAL(queriesCount, 7U);

  239. 

  240.   /* again, to test the cache */

  241.   ret.clear();

  242.   res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  243.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  244.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);

  245.   BOOST_REQUIRE_EQUAL(ret.size(), 1U);

  246.   BOOST_CHECK_EQUAL(queriesCount, 7U);

  247. }

  248. 

  249. BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname)

  250. {

  251.   std::unique_ptr<SyncRes> sr;

  252.   initSR(sr, true);

  253. 

  254.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  255. 

  256.   primeHints();

  257.   const DNSName target("powerdns.com.");

  258.   const DNSName targetCName("power-dns.com.");

  259.   const ComboAddress targetCNameAddr("192.0.2.42");

  260.   testkeysset_t keys;

  261. 

  262.   auto luaconfsCopy = g_luaconfs.getCopy();

  263.   luaconfsCopy.dsAnchors.clear();

  264.   generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  265.   generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  266.   generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  267.   g_luaconfs.setState(luaconfsCopy);

  268. 

  269.   size_t queriesCount = 0;

  270. 

  271.   sr->setAsyncCallback([target, targetCName, targetCNameAddr, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  272.     queriesCount++;

  273. 

  274.     if (type == QType::DS) {

  275.       if (domain == targetCName) {

  276.         setLWResult(res, 0, true, false, true);

  277.         addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  278.         addRRSIG(keys, res->d_records, DNSName("com."), 300);

  279.         addNSECRecordToLW(domain, DNSName("z.power-dns.com."), {QType::NS}, 600, res->d_records);

  280.         addRRSIG(keys, res->d_records, DNSName("com."), 300);

  281.         return 1;

  282.       }

  283.       else {

  284.         return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);

  285.       }

  286.     }

  287.     else if (type == QType::DNSKEY) {

  288.       if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) {

  289.         setLWResult(res, 0, true, false, true);

  290.         addDNSKEY(keys, domain, 300, res->d_records);

  291.         addRRSIG(keys, res->d_records, domain, 300);

  292.         return 1;

  293.       }

  294.       else {

  295.         setLWResult(res, 0, true, false, true);

  296.         addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  297.         return 1;

  298.       }

  299.     }

  300.     else {

  301.       if (isRootServer(ip)) {

  302.         setLWResult(res, 0, false, false, true);

  303.         addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);

  304.         addDS(DNSName("com."), 300, res->d_records, keys);

  305.         addRRSIG(keys, res->d_records, DNSName("."), 300);

  306.         addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  307.         return 1;

  308.       }

  309.       else if (ip == ComboAddress("192.0.2.1:53")) {

  310.         setLWResult(res, 0, false, false, true);

  311.         if (domain == DNSName("com.")) {

  312.           setLWResult(res, 0, true, false, true);

  313.           addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");

  314.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  315.           addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  316.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  317.         }

  318.         else {

  319.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);

  320.           if (domain == DNSName("powerdns.com.")) {

  321.             addDS(DNSName("powerdns.com."), 300, res->d_records, keys);

  322.           }

  323.           else if (domain == targetCName) {

  324.             addNSECRecordToLW(domain, DNSName("z.power-dns.com."), {QType::NS}, 600, res->d_records);

  325.           }

  326.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  327.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  328.         }

  329. 

  330.         return 1;

  331.       }

  332.       else if (ip == ComboAddress("192.0.2.2:53")) {

  333.         setLWResult(res, 0, true, false, true);

  334. 

  335.         if (type == QType::NS) {

  336.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");

  337.           if (domain == DNSName("powerdns.com.")) {

  338.             addRRSIG(keys, res->d_records, domain, 300);

  339.           }

  340.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  341.           if (domain == DNSName("powerdns.com.")) {

  342.             addRRSIG(keys, res->d_records, domain, 300);

  343.           }

  344.         }

  345.         else {

  346.           if (domain == DNSName("powerdns.com.")) {

  347.             addRecordToLW(res, domain, QType::CNAME, targetCName.toString());

  348.             addRRSIG(keys, res->d_records, domain, 300);

  349.           }

  350.           else if (domain == targetCName) {

  351.             addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());

  352.           }

  353.         }

  354. 

  355.         return 1;

  356.       }

  357.     }

  358. 

  359.     return 0;

  360.   });

  361. 

  362.   vector<DNSRecord> ret;

  363.   int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  364.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  365.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);

  366.   BOOST_REQUIRE_EQUAL(ret.size(), 3U);

  367.   BOOST_CHECK_EQUAL(queriesCount, 11U);

  368. 

  369.   /* again, to test the cache */

  370.   ret.clear();

  371.   res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  372.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  373.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);

  374.   BOOST_REQUIRE_EQUAL(ret.size(), 3U);

  375.   BOOST_CHECK_EQUAL(queriesCount, 11U);

  376. }

  377. 

  378. BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname_glue)

  379. {

  380.   std::unique_ptr<SyncRes> sr;

  381.   initSR(sr, true);

  382. 

  383.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  384. 

  385.   primeHints();

  386.   const DNSName target("powerdns.com.");

  387.   const DNSName targetCName1("cname.sub.powerdns.com.");

  388.   const DNSName targetCName2("cname2.sub.powerdns.com.");

  389.   const ComboAddress targetCName2Addr("192.0.2.42");

  390.   testkeysset_t keys;

  391. 

  392.   auto luaconfsCopy = g_luaconfs.getCopy();

  393.   luaconfsCopy.dsAnchors.clear();

  394.   generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  395.   generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  396.   generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  397.   g_luaconfs.setState(luaconfsCopy);

  398. 

  399.   size_t queriesCount = 0;

  400. 

  401.   sr->setAsyncCallback([target, targetCName1, targetCName2, targetCName2Addr, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  402.     queriesCount++;

  403. 

  404.     if (type == QType::DS || type == QType::DNSKEY) {

  405.       if (domain == DNSName("sub.powerdns.com")) {

  406.         setLWResult(res, 0, true, false, true);

  407.         addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  408.         addRRSIG(keys, res->d_records, DNSName("com."), 300);

  409.         addNSECRecordToLW(domain, DNSName("z.power-dns.com."), {QType::NS}, 600, res->d_records);

  410.         addRRSIG(keys, res->d_records, DNSName("com."), 300);

  411.         return 1;

  412.       }

  413.       else {

  414.         return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);

  415.       }

  416.     }

  417.     else {

  418.       if (isRootServer(ip)) {

  419.         setLWResult(res, 0, false, false, true);

  420.         addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);

  421.         addDS(DNSName("com."), 300, res->d_records, keys);

  422.         addRRSIG(keys, res->d_records, DNSName("."), 300);

  423.         addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  424.         return 1;

  425.       }

  426.       else if (ip == ComboAddress("192.0.2.1:53")) {

  427.         setLWResult(res, 0, false, false, true);

  428.         if (domain == DNSName("com.")) {

  429.           setLWResult(res, 0, true, false, true);

  430.           addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");

  431.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  432.           addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  433.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  434.         }

  435.         else {

  436.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);

  437.           if (domain == DNSName("powerdns.com.")) {

  438.             addDS(DNSName("powerdns.com."), 300, res->d_records, keys);

  439.           }

  440.           else if (domain == DNSName("sub.powerdns.com")) {

  441.             addNSECRecordToLW(domain, DNSName("z.power-dns.com."), {QType::NS}, 600, res->d_records);

  442.           }

  443.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  444.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  445.         }

  446. 

  447.         return 1;

  448.       }

  449.       else if (ip == ComboAddress("192.0.2.2:53")) {

  450.         setLWResult(res, 0, true, false, true);

  451. 

  452.         if (type == QType::NS) {

  453.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");

  454.           if (domain == DNSName("powerdns.com.")) {

  455.             addRRSIG(keys, res->d_records, domain, 300);

  456.           }

  457.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  458.           if (domain == DNSName("powerdns.com.")) {

  459.             addRRSIG(keys, res->d_records, domain, 300);

  460.           }

  461.         }

  462.         else {

  463.           if (domain == DNSName("powerdns.com.")) {

  464.             addRecordToLW(res, domain, QType::CNAME, targetCName1.toString());

  465.             addRRSIG(keys, res->d_records, domain, 300);

  466.             /* add the CNAME target as a glue, with no RRSIG since the sub zone is insecure */

  467.             addRecordToLW(res, targetCName1, QType::CNAME, targetCName2.toString());

  468.             addRecordToLW(res, targetCName2, QType::A, targetCName2Addr.toString());

  469.           }

  470.           else if (domain == targetCName1) {

  471.             addRecordToLW(res, domain, QType::CNAME, targetCName2.toString());

  472.           }

  473.           else if (domain == targetCName2) {

  474.             addRecordToLW(res, domain, QType::A, targetCName2Addr.toString());

  475.           }

  476.         }

  477. 

  478.         return 1;

  479.       }

  480.     }

  481. 

  482.     return 0;

  483.   });

  484. 

  485.   vector<DNSRecord> ret;

  486.   int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  487.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  488.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);

  489.   BOOST_REQUIRE_EQUAL(ret.size(), 4U);

  490.   BOOST_CHECK_EQUAL(queriesCount, 11U);

  491. 

  492.   /* again, to test the cache */

  493.   ret.clear();

  494.   res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  495.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  496.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);

  497.   BOOST_REQUIRE_EQUAL(ret.size(), 4U);

  498.   BOOST_CHECK_EQUAL(queriesCount, 11U);

  499. }

  500. 

  501. BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_secure_cname)

  502. {

  503.   std::unique_ptr<SyncRes> sr;

  504.   initSR(sr, true);

  505. 

  506.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  507. 

  508.   primeHints();

  509.   const DNSName target("power-dns.com.");

  510.   const DNSName targetCName("powerdns.com.");

  511.   const ComboAddress targetCNameAddr("192.0.2.42");

  512.   testkeysset_t keys;

  513. 

  514.   auto luaconfsCopy = g_luaconfs.getCopy();

  515.   luaconfsCopy.dsAnchors.clear();

  516.   generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  517.   generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  518.   generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  519.   g_luaconfs.setState(luaconfsCopy);

  520. 

  521.   size_t queriesCount = 0;

  522. 

  523.   sr->setAsyncCallback([target, targetCName, targetCNameAddr, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  524.     queriesCount++;

  525. 

  526.     if (type == QType::DS) {

  527.       if (domain == DNSName("power-dns.com.")) {

  528.         setLWResult(res, 0, true, false, true);

  529.         addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  530.         addRRSIG(keys, res->d_records, DNSName("com."), 300);

  531.         addNSECRecordToLW(domain, DNSName("z.power-dns.com."), {QType::NS}, 600, res->d_records);

  532.         addRRSIG(keys, res->d_records, DNSName("com."), 300);

  533.         return 1;

  534.       }

  535.       else {

  536.         return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);

  537.       }

  538.     }

  539.     else if (type == QType::DNSKEY) {

  540.       if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) {

  541.         setLWResult(res, 0, true, false, true);

  542.         addDNSKEY(keys, domain, 300, res->d_records);

  543.         addRRSIG(keys, res->d_records, domain, 300);

  544.         return 1;

  545.       }

  546.       else {

  547.         setLWResult(res, 0, true, false, true);

  548.         addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  549.         return 1;

  550.       }

  551.     }

  552.     else {

  553.       if (isRootServer(ip)) {

  554.         setLWResult(res, 0, false, false, true);

  555.         addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);

  556.         addDS(DNSName("com."), 300, res->d_records, keys);

  557.         addRRSIG(keys, res->d_records, DNSName("."), 300);

  558.         addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  559.         return 1;

  560.       }

  561.       else if (ip == ComboAddress("192.0.2.1:53")) {

  562.         if (domain == DNSName("com.")) {

  563.           setLWResult(res, 0, true, false, true);

  564.           addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");

  565.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  566.           addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  567.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  568.         }

  569.         else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {

  570.           setLWResult(res, 0, false, false, true);

  571.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);

  572.           if (domain == targetCName) {

  573.             addDS(DNSName("powerdns.com."), 300, res->d_records, keys);

  574.           }

  575.           else if (domain == target) {

  576.             addNSECRecordToLW(domain, DNSName("z.power-dns.com."), {QType::NS}, 600, res->d_records);

  577.           }

  578.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  579.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  580.         }

  581.         return 1;

  582.       }

  583.       else if (ip == ComboAddress("192.0.2.2:53")) {

  584.         setLWResult(res, 0, true, false, true);

  585.         if (type == QType::NS) {

  586.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");

  587.           if (domain == DNSName("powerdns.com.")) {

  588.             addRRSIG(keys, res->d_records, domain, 300);

  589.           }

  590.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  591.           if (domain == DNSName("powerdns.com.")) {

  592.             addRRSIG(keys, res->d_records, domain, 300);

  593.           }

  594.         }

  595.         else {

  596.           if (domain == target) {

  597.             addRecordToLW(res, domain, QType::CNAME, targetCName.toString());

  598.           }

  599.           else if (domain == targetCName) {

  600.             addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());

  601.             addRRSIG(keys, res->d_records, domain, 300);

  602.           }

  603.         }

  604.         return 1;

  605.       }

  606.     }

  607. 

  608.     return 0;

  609.   });

  610. 

  611.   vector<DNSRecord> ret;

  612.   int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  613.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  614.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);

  615.   BOOST_REQUIRE_EQUAL(ret.size(), 3U);

  616.   BOOST_CHECK_EQUAL(queriesCount, 11U);

  617. 

  618.   /* again, to test the cache */

  619.   ret.clear();

  620.   res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  621.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  622.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);

  623.   BOOST_REQUIRE_EQUAL(ret.size(), 3U);

  624.   BOOST_CHECK_EQUAL(queriesCount, 11U);

  625. }

  626. 

  627. BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_secure_cname)

  628. {

  629.   std::unique_ptr<SyncRes> sr;

  630.   initSR(sr, true);

  631. 

  632.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  633. 

  634.   primeHints();

  635.   const DNSName target("power-dns.com.");

  636.   const DNSName targetCName("powerdns.com.");

  637.   const ComboAddress targetCNameAddr("192.0.2.42");

  638.   testkeysset_t keys;

  639. 

  640.   auto luaconfsCopy = g_luaconfs.getCopy();

  641.   luaconfsCopy.dsAnchors.clear();

  642.   generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  643.   generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  644.   generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  645.   generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  646.   g_luaconfs.setState(luaconfsCopy);

  647. 

  648.   size_t queriesCount = 0;

  649. 

  650.   sr->setAsyncCallback([target, targetCName, targetCNameAddr, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  651.     queriesCount++;

  652. 

  653.     if (type == QType::DS || type == QType::DNSKEY) {

  654.       return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);

  655.     }

  656.     else {

  657.       if (isRootServer(ip)) {

  658.         setLWResult(res, 0, false, false, true);

  659.         addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);

  660.         addDS(DNSName("com."), 300, res->d_records, keys);

  661.         addRRSIG(keys, res->d_records, DNSName("."), 300);

  662.         addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  663.         return 1;

  664.       }

  665.       else if (ip == ComboAddress("192.0.2.1:53")) {

  666.         if (domain == DNSName("com.")) {

  667.           setLWResult(res, 0, true, false, true);

  668.           addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");

  669.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  670.           addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  671.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  672.         }

  673.         else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {

  674.           setLWResult(res, 0, false, false, true);

  675.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);

  676.           addDS(DNSName(domain), 300, res->d_records, keys);

  677.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  678.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  679.         }

  680.         return 1;

  681.       }

  682.       else if (ip == ComboAddress("192.0.2.2:53")) {

  683.         setLWResult(res, 0, true, false, true);

  684.         if (type == QType::NS) {

  685.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");

  686.           addRRSIG(keys, res->d_records, domain, 300);

  687.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  688.           addRRSIG(keys, res->d_records, domain, 300);

  689.         }

  690.         else {

  691.           if (domain == target) {

  692.             addRecordToLW(res, domain, QType::CNAME, targetCName.toString());

  693.             /* No RRSIG, leading to bogus */

  694.           }

  695.           else if (domain == targetCName) {

  696.             addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());

  697.             addRRSIG(keys, res->d_records, domain, 300);

  698.           }

  699.         }

  700.         return 1;

  701.       }

  702.     }

  703. 

  704.     return 0;

  705.   });

  706. 

  707.   vector<DNSRecord> ret;

  708.   int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  709.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  710.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);

  711.   BOOST_REQUIRE_EQUAL(ret.size(), 3U);

  712.   BOOST_CHECK_EQUAL(queriesCount, 11U);

  713. 

  714.   /* again, to test the cache */

  715.   ret.clear();

  716.   res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  717.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  718.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);

  719.   BOOST_REQUIRE_EQUAL(ret.size(), 3U);

  720.   BOOST_CHECK_EQUAL(queriesCount, 11U);

  721. }

  722. 

  723. BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_bogus_cname)

  724. {

  725.   std::unique_ptr<SyncRes> sr;

  726.   initSR(sr, true);

  727. 

  728.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  729. 

  730.   primeHints();

  731.   const DNSName target("power-dns.com.");

  732.   const DNSName targetCName("powerdns.com.");

  733.   const ComboAddress targetCNameAddr("192.0.2.42");

  734.   testkeysset_t keys;

  735. 

  736.   auto luaconfsCopy = g_luaconfs.getCopy();

  737.   luaconfsCopy.dsAnchors.clear();

  738.   generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  739.   generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  740.   generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  741.   generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  742.   g_luaconfs.setState(luaconfsCopy);

  743. 

  744.   size_t queriesCount = 0;

  745. 

  746.   sr->setAsyncCallback([target, targetCName, targetCNameAddr, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  747.     queriesCount++;

  748. 

  749.     if (type == QType::DS || type == QType::DNSKEY) {

  750.       return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);

  751.     }

  752.     else {

  753.       if (isRootServer(ip)) {

  754.         setLWResult(res, 0, false, false, true);

  755.         addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);

  756.         addDS(DNSName("com."), 300, res->d_records, keys);

  757.         addRRSIG(keys, res->d_records, DNSName("."), 300);

  758.         addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  759.         return 1;

  760.       }

  761.       else if (ip == ComboAddress("192.0.2.1:53")) {

  762.         if (domain == DNSName("com.")) {

  763.           setLWResult(res, 0, true, false, true);

  764.           addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");

  765.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  766.           addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  767.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  768.         }

  769.         else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {

  770.           setLWResult(res, 0, false, false, true);

  771.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);

  772.           addDS(DNSName(domain), 300, res->d_records, keys);

  773.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  774.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  775.         }

  776.         return 1;

  777.       }

  778.       else if (ip == ComboAddress("192.0.2.2:53")) {

  779.         setLWResult(res, 0, true, false, true);

  780.         if (type == QType::NS) {

  781.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");

  782.           addRRSIG(keys, res->d_records, domain, 300);

  783.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  784.           addRRSIG(keys, res->d_records, domain, 300);

  785.         }

  786.         else {

  787.           if (domain == target) {

  788.             addRecordToLW(res, domain, QType::CNAME, targetCName.toString());

  789.             addRRSIG(keys, res->d_records, domain, 300);

  790.           }

  791.           else if (domain == targetCName) {

  792.             addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());

  793.             /* No RRSIG, leading to bogus */

  794.           }

  795.         }

  796.         return 1;

  797.       }

  798.     }

  799. 

  800.     return 0;

  801.   });

  802. 

  803.   vector<DNSRecord> ret;

  804.   int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  805.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  806.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);

  807.   BOOST_REQUIRE_EQUAL(ret.size(), 3U);

  808.   BOOST_CHECK_EQUAL(queriesCount, 11U);

  809. 

  810.   /* again, to test the cache */

  811.   ret.clear();

  812.   res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  813.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  814.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);

  815.   BOOST_REQUIRE_EQUAL(ret.size(), 3U);

  816.   BOOST_CHECK_EQUAL(queriesCount, 11U);

  817. }

  818. 

  819. BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_secure_cname)

  820. {

  821.   std::unique_ptr<SyncRes> sr;

  822.   initSR(sr, true);

  823. 

  824.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  825. 

  826.   primeHints();

  827.   const DNSName target("power-dns.com.");

  828.   const DNSName targetCName("powerdns.com.");

  829.   const ComboAddress targetCNameAddr("192.0.2.42");

  830.   testkeysset_t keys;

  831. 

  832.   auto luaconfsCopy = g_luaconfs.getCopy();

  833.   luaconfsCopy.dsAnchors.clear();

  834.   generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  835.   generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  836.   generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  837.   generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  838.   g_luaconfs.setState(luaconfsCopy);

  839. 

  840.   size_t queriesCount = 0;

  841. 

  842.   sr->setAsyncCallback([target, targetCName, targetCNameAddr, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  843.     queriesCount++;

  844. 

  845.     if (type == QType::DS || type == QType::DNSKEY) {

  846.       return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);

  847.     }

  848.     else {

  849.       if (isRootServer(ip)) {

  850.         setLWResult(res, 0, false, false, true);

  851.         addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);

  852.         addDS(DNSName("com."), 300, res->d_records, keys);

  853.         addRRSIG(keys, res->d_records, DNSName("."), 300);

  854.         addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  855.         return 1;

  856.       }

  857.       else if (ip == ComboAddress("192.0.2.1:53")) {

  858.         if (domain == DNSName("com.")) {

  859.           setLWResult(res, 0, true, false, true);

  860.           addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");

  861.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  862.           addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  863.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  864.         }

  865.         else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {

  866.           setLWResult(res, 0, false, false, true);

  867.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);

  868.           addDS(DNSName(domain), 300, res->d_records, keys);

  869.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  870.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  871.         }

  872.         return 1;

  873.       }

  874.       else if (ip == ComboAddress("192.0.2.2:53")) {

  875.         setLWResult(res, 0, true, false, true);

  876.         if (type == QType::NS) {

  877.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");

  878.           addRRSIG(keys, res->d_records, domain, 300);

  879.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  880.           addRRSIG(keys, res->d_records, domain, 300);

  881.         }

  882.         else {

  883.           if (domain == target) {

  884.             addRecordToLW(res, domain, QType::CNAME, targetCName.toString());

  885.             addRRSIG(keys, res->d_records, domain, 300);

  886.           }

  887.           else if (domain == targetCName) {

  888.             addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());

  889.             addRRSIG(keys, res->d_records, domain, 300);

  890.           }

  891.         }

  892.         return 1;

  893.       }

  894.     }

  895. 

  896.     return 0;

  897.   });

  898. 

  899.   vector<DNSRecord> ret;

  900.   int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  901.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  902.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);

  903.   BOOST_REQUIRE_EQUAL(ret.size(), 4U);

  904.   BOOST_CHECK_EQUAL(queriesCount, 12U);

  905. 

  906.   /* again, to test the cache */

  907.   ret.clear();

  908.   res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  909.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  910.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);

  911.   BOOST_REQUIRE_EQUAL(ret.size(), 4U);

  912.   BOOST_CHECK_EQUAL(queriesCount, 12U);

  913. }

  914. 

  915. BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_insecure_cname)

  916. {

  917.   std::unique_ptr<SyncRes> sr;

  918.   initSR(sr, true);

  919. 

  920.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  921. 

  922.   primeHints();

  923.   const DNSName target("powerdns.com.");

  924.   const DNSName targetCName("power-dns.com.");

  925.   const ComboAddress targetCNameAddr("192.0.2.42");

  926.   testkeysset_t keys;

  927. 

  928.   auto luaconfsCopy = g_luaconfs.getCopy();

  929.   luaconfsCopy.dsAnchors.clear();

  930.   generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  931.   generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  932.   generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  933.   generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  934.   g_luaconfs.setState(luaconfsCopy);

  935. 

  936.   size_t queriesCount = 0;

  937. 

  938.   sr->setAsyncCallback([target, targetCName, targetCNameAddr, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  939.     queriesCount++;

  940. 

  941.     if (type == QType::DS) {

  942.       if (domain == DNSName("power-dns.com.")) {

  943.         setLWResult(res, 0, true, false, true);

  944.         addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  945.         addRRSIG(keys, res->d_records, DNSName("com."), 300);

  946.         addNSECRecordToLW(domain, DNSName("z.power-dns.com."), {QType::NS}, 600, res->d_records);

  947.         addRRSIG(keys, res->d_records, DNSName("com."), 300);

  948.         return 1;

  949.       }

  950.       else {

  951.         return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);

  952.       }

  953.     }

  954.     else if (type == QType::DNSKEY) {

  955.       if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) {

  956.         setLWResult(res, 0, true, false, true);

  957.         addDNSKEY(keys, domain, 300, res->d_records);

  958.         addRRSIG(keys, res->d_records, domain, 300);

  959.         return 1;

  960.       }

  961.       else {

  962.         setLWResult(res, 0, true, false, true);

  963.         addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  964.         return 1;

  965.       }

  966.     }

  967.     else {

  968.       if (isRootServer(ip)) {

  969.         setLWResult(res, 0, false, false, true);

  970.         addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);

  971.         addDS(DNSName("com."), 300, res->d_records, keys);

  972.         addRRSIG(keys, res->d_records, DNSName("."), 300);

  973.         addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  974.         return 1;

  975.       }

  976.       else if (ip == ComboAddress("192.0.2.1:53")) {

  977.         if (domain == DNSName("com.")) {

  978.           setLWResult(res, 0, true, false, true);

  979.           addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");

  980.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  981.           addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  982.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  983.         }

  984.         else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {

  985.           setLWResult(res, 0, false, false, true);

  986.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);

  987.           if (domain == DNSName("powerdns.com.")) {

  988.             addDS(DNSName("powerdns.com."), 300, res->d_records, keys);

  989.           }

  990.           else if (domain == targetCName) {

  991.             addNSECRecordToLW(domain, DNSName("z.power-dns.com."), {QType::NS}, 600, res->d_records);

  992.           }

  993.           addRRSIG(keys, res->d_records, DNSName("com."), 300);

  994.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  995.         }

  996.         return 1;

  997.       }

  998.       else if (ip == ComboAddress("192.0.2.2:53")) {

  999.         setLWResult(res, 0, true, false, true);

  1000.         if (type == QType::NS) {

  1001.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");

  1002.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  1003.         }

  1004.         else {

  1005.           if (domain == DNSName("powerdns.com.")) {

  1006.             addRecordToLW(res, domain, QType::CNAME, targetCName.toString());

  1007.             /* No RRSIG -> Bogus */

  1008.           }

  1009.           else if (domain == targetCName) {

  1010.             addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());

  1011.           }

  1012.         }

  1013.         return 1;

  1014.       }

  1015.     }

  1016. 

  1017.     return 0;

  1018.   });

  1019. 

  1020.   vector<DNSRecord> ret;

  1021.   int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  1022.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  1023.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);

  1024.   /* no RRSIG to show */

  1025.   BOOST_CHECK_EQUAL(ret.size(), 2U);

  1026.   BOOST_CHECK_EQUAL(queriesCount, 10U);

  1027. 

  1028.   /* again, to test the cache */

  1029.   ret.clear();

  1030.   res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  1031.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  1032.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);

  1033.   BOOST_CHECK_EQUAL(ret.size(), 2U);

  1034.   BOOST_CHECK_EQUAL(queriesCount, 10U);

  1035. }

  1036. 

  1037. BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta)

  1038. {

  1039.   std::unique_ptr<SyncRes> sr;

  1040.   initSR(sr, true);

  1041. 

  1042.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  1043. 

  1044.   primeHints();

  1045.   const DNSName target("powerdns.com.");

  1046.   const ComboAddress targetAddr("192.0.2.42");

  1047.   testkeysset_t keys;

  1048. 

  1049.   auto luaconfsCopy = g_luaconfs.getCopy();

  1050.   luaconfsCopy.dsAnchors.clear();

  1051.   generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  1052.   /* No key material for .com */

  1053.   generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  1054.   luaconfsCopy.dsAnchors[target].insert(keys[target].second);

  1055.   g_luaconfs.setState(luaconfsCopy);

  1056. 

  1057.   size_t queriesCount = 0;

  1058. 

  1059.   sr->setAsyncCallback([target, targetAddr, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  1060.     queriesCount++;

  1061. 

  1062.     if (type == QType::DNSKEY) {

  1063.       if (domain == g_rootdnsname || domain == DNSName("powerdns.com.")) {

  1064.         setLWResult(res, 0, true, false, true);

  1065.         addDNSKEY(keys, domain, 300, res->d_records);

  1066.         addRRSIG(keys, res->d_records, domain, 300);

  1067.         return 1;

  1068.       }

  1069.       else if (domain == DNSName("com.")) {

  1070.         setLWResult(res, 0, true, false, true);

  1071.         addRecordToLW(res, domain, QType::SOA, ". yop. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  1072.         return 1;

  1073.       }

  1074.     }

  1075.     else {

  1076.       if (isRootServer(ip)) {

  1077.         setLWResult(res, 0, false, false, true);

  1078.         addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);

  1079.         addNSECRecordToLW(DNSName("com."), DNSName("com."), {QType::NS}, 600, res->d_records);

  1080.         addRRSIG(keys, res->d_records, DNSName("."), 300);

  1081.         addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  1082.         return 1;

  1083.       }

  1084.       else if (ip == ComboAddress("192.0.2.1:53")) {

  1085.         if (target == domain) {

  1086.           setLWResult(res, 0, false, false, true);

  1087.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);

  1088.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  1089.         }

  1090.         else if (domain == DNSName("com.")) {

  1091.           setLWResult(res, 0, true, false, true);

  1092.           addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");

  1093.           addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  1094.         }

  1095.         return 1;

  1096.       }

  1097.       else if (ip == ComboAddress("192.0.2.2:53")) {

  1098.         setLWResult(res, 0, true, false, true);

  1099.         if (type == QType::NS) {

  1100.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");

  1101.         }

  1102.         else {

  1103.           addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);

  1104.         }

  1105.         addRRSIG(keys, res->d_records, domain, 300);

  1106.         return 1;

  1107.       }

  1108.     }

  1109. 

  1110.     return 0;

  1111.   });

  1112. 

  1113.   vector<DNSRecord> ret;

  1114.   int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  1115.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  1116.   /* should be insecure but we have a TA for powerdns.com. */

  1117.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);

  1118.   /* We got a RRSIG */

  1119.   BOOST_REQUIRE_EQUAL(ret.size(), 2U);

  1120.   BOOST_CHECK(ret[0].d_type == QType::A);

  1121.   BOOST_CHECK_EQUAL(queriesCount, 5U);

  1122. 

  1123.   /* again, to test the cache */

  1124.   ret.clear();

  1125.   res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  1126.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  1127.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);

  1128.   BOOST_REQUIRE_EQUAL(ret.size(), 2U);

  1129.   BOOST_CHECK(ret[0].d_type == QType::A);

  1130.   BOOST_CHECK_EQUAL(queriesCount, 5U);

  1131. }

  1132. 

  1133. BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta_norrsig)

  1134. {

  1135.   std::unique_ptr<SyncRes> sr;

  1136.   initSR(sr, true);

  1137. 

  1138.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  1139. 

  1140.   primeHints();

  1141.   const DNSName target("powerdns.com.");

  1142.   const ComboAddress targetAddr("192.0.2.42");

  1143.   testkeysset_t keys;

  1144. 

  1145.   auto luaconfsCopy = g_luaconfs.getCopy();

  1146.   luaconfsCopy.dsAnchors.clear();

  1147.   generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  1148.   /* No key material for .com */

  1149.   generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  1150.   luaconfsCopy.dsAnchors[target].insert(keys[target].second);

  1151.   g_luaconfs.setState(luaconfsCopy);

  1152. 

  1153.   size_t queriesCount = 0;

  1154. 

  1155.   sr->setAsyncCallback([target, targetAddr, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  1156.     queriesCount++;

  1157. 

  1158.     if (type == QType::DNSKEY) {

  1159.       if (domain == g_rootdnsname || domain == DNSName("powerdns.com.")) {

  1160.         setLWResult(res, 0, true, false, true);

  1161.         addDNSKEY(keys, domain, 300, res->d_records);

  1162.         addRRSIG(keys, res->d_records, domain, 300);

  1163.         return 1;

  1164.       }

  1165.       else if (domain == DNSName("com.")) {

  1166.         setLWResult(res, 0, true, false, true);

  1167.         addRecordToLW(res, domain, QType::SOA, ". yop. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);

  1168.         return 1;

  1169.       }

  1170.     }

  1171.     else {

  1172.       if (target.isPartOf(domain) && isRootServer(ip)) {

  1173.         setLWResult(res, 0, false, false, true);

  1174.         addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);

  1175.         addNSECRecordToLW(DNSName("com."), DNSName("com."), {QType::NS}, 600, res->d_records);

  1176.         addRRSIG(keys, res->d_records, DNSName("."), 300);

  1177.         addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  1178.         return 1;

  1179.       }

  1180.       else if (ip == ComboAddress("192.0.2.1:53")) {

  1181.         if (target == domain) {

  1182.           setLWResult(res, 0, false, false, true);

  1183.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);

  1184.           addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);

  1185.         }

  1186.         else if (domain == DNSName("com.")) {

  1187.           setLWResult(res, 0, true, false, true);

  1188.           addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");

  1189.           addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);

  1190.         }

  1191.         return 1;

  1192.       }

  1193.       else if (domain == target && ip == ComboAddress("192.0.2.2:53")) {

  1194.         setLWResult(res, 0, true, false, true);

  1195.         if (type == QType::NS) {

  1196.           addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");

  1197.         }

  1198.         else {

  1199.           addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);

  1200.         }

  1201.         /* No RRSIG in a now (thanks to TA) Secure zone -> Bogus*/

  1202.         return 1;

  1203.       }

  1204.     }

  1205. 

  1206.     return 0;

  1207.   });

  1208. 

  1209.   vector<DNSRecord> ret;

  1210.   int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  1211.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  1212.   /* should be insecure but we have a TA for powerdns.com., but no RRSIG so Bogus */

  1213.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);

  1214.   /* No RRSIG */

  1215.   BOOST_REQUIRE_EQUAL(ret.size(), 1U);

  1216.   BOOST_CHECK(ret[0].d_type == QType::A);

  1217.   BOOST_CHECK_EQUAL(queriesCount, 4U);

  1218. 

  1219.   /* again, to test the cache */

  1220.   ret.clear();

  1221.   res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  1222.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  1223.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);

  1224.   BOOST_REQUIRE_EQUAL(ret.size(), 1U);

  1225.   BOOST_CHECK(ret[0].d_type == QType::A);

  1226.   BOOST_CHECK_EQUAL(queriesCount, 4U);

  1227. }

  1228. 

  1229. BOOST_AUTO_TEST_CASE(test_dnssec_nta)

  1230. {

  1231.   std::unique_ptr<SyncRes> sr;

  1232.   initSR(sr, true);

  1233. 

  1234.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  1235. 

  1236.   primeHints();

  1237.   const DNSName target(".");

  1238.   testkeysset_t keys;

  1239. 

  1240.   auto luaconfsCopy = g_luaconfs.getCopy();

  1241.   luaconfsCopy.dsAnchors.clear();

  1242.   generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  1243.   /* Add a NTA for "." */

  1244.   luaconfsCopy.negAnchors[g_rootdnsname] = "NTA for Root";

  1245.   g_luaconfs.setState(luaconfsCopy);

  1246. 

  1247.   size_t queriesCount = 0;

  1248. 

  1249.   sr->setAsyncCallback([target, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  1250.     queriesCount++;

  1251. 

  1252.     if (domain == target && type == QType::NS) {

  1253. 

  1254.       setLWResult(res, 0, true, false, true);

  1255.       char addr[] = "a.root-servers.net.";

  1256.       for (char idx = 'a'; idx <= 'm'; idx++) {

  1257.         addr[0] = idx;

  1258.         addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);

  1259.       }

  1260. 

  1261.       addRRSIG(keys, res->d_records, domain, 300);

  1262. 

  1263.       addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);

  1264.       addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);

  1265. 

  1266.       return 1;

  1267.     }

  1268.     else if (domain == target && type == QType::DNSKEY) {

  1269. 

  1270.       setLWResult(res, 0, true, false, true);

  1271. 

  1272.       /* No DNSKEY */

  1273. 

  1274.       return 1;

  1275.     }

  1276. 

  1277.     return 0;

  1278.   });

  1279. 

  1280.   vector<DNSRecord> ret;

  1281.   int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);

  1282.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  1283.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);

  1284.   /* 13 NS + 1 RRSIG */

  1285.   BOOST_REQUIRE_EQUAL(ret.size(), 14U);

  1286.   BOOST_CHECK_EQUAL(queriesCount, 1U);

  1287. 

  1288.   /* again, to test the cache */

  1289.   ret.clear();

  1290.   res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);

  1291.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  1292.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);

  1293.   BOOST_REQUIRE_EQUAL(ret.size(), 14U);

  1294.   BOOST_CHECK_EQUAL(queriesCount, 1U);

  1295. }

  1296. 

  1297. BOOST_AUTO_TEST_CASE(test_dnssec_no_ta)

  1298. {

  1299.   std::unique_ptr<SyncRes> sr;

  1300.   initSR(sr, true);

  1301. 

  1302.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  1303. 

  1304.   primeHints();

  1305.   const DNSName target(".");

  1306.   testkeysset_t keys;

  1307. 

  1308.   /* Remove the root DS */

  1309.   auto luaconfsCopy = g_luaconfs.getCopy();

  1310.   luaconfsCopy.dsAnchors.clear();

  1311.   g_luaconfs.setState(luaconfsCopy);

  1312. 

  1313.   size_t queriesCount = 0;

  1314. 

  1315.   sr->setAsyncCallback([target, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  1316.     queriesCount++;

  1317. 

  1318.     if (domain == target && type == QType::NS) {

  1319. 

  1320.       setLWResult(res, 0, true, false, true);

  1321.       char addr[] = "a.root-servers.net.";

  1322.       for (char idx = 'a'; idx <= 'm'; idx++) {

  1323.         addr[0] = idx;

  1324.         addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);

  1325.       }

  1326. 

  1327.       addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);

  1328.       addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);

  1329. 

  1330.       return 1;

  1331.     }

  1332. 

  1333.     return 0;

  1334.   });

  1335. 

  1336.   vector<DNSRecord> ret;

  1337.   int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);

  1338.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  1339.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);

  1340.   /* 13 NS + 0 RRSIG */

  1341.   BOOST_REQUIRE_EQUAL(ret.size(), 13U);

  1342.   BOOST_CHECK_EQUAL(queriesCount, 1U);

  1343. 

  1344.   /* again, to test the cache */

  1345.   ret.clear();

  1346.   res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);

  1347.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  1348.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);

  1349.   BOOST_REQUIRE_EQUAL(ret.size(), 13U);

  1350.   BOOST_CHECK_EQUAL(queriesCount, 1U);

  1351. }

  1352. 

  1353. BOOST_AUTO_TEST_CASE(test_dnssec_bogus_nodata)

  1354. {

  1355.   std::unique_ptr<SyncRes> sr;

  1356.   initSR(sr, true);

  1357. 

  1358.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  1359. 

  1360.   primeHints();

  1361.   const DNSName target("powerdns.com.");

  1362.   testkeysset_t keys;

  1363. 

  1364.   auto luaconfsCopy = g_luaconfs.getCopy();

  1365.   luaconfsCopy.dsAnchors.clear();

  1366.   generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  1367.   generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  1368.   generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  1369.   g_luaconfs.setState(luaconfsCopy);

  1370. 

  1371.   size_t queriesCount = 0;

  1372. 

  1373.   sr->setAsyncCallback([target, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  1374.     queriesCount++;

  1375. 

  1376.     if (type == QType::DS || type == QType::DNSKEY) {

  1377.       return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);

  1378.     }

  1379.     else {

  1380. 

  1381.       setLWResult(res, 0, true, false, true);

  1382.       return 1;

  1383.     }

  1384. 

  1385.     return 0;

  1386.   });

  1387. 

  1388.   vector<DNSRecord> ret;

  1389.   int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  1390.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  1391.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication);

  1392.   BOOST_REQUIRE_EQUAL(ret.size(), 0U);

  1393.   /* com|NS, powerdns.com|NS, powerdns.com|A */

  1394.   BOOST_CHECK_EQUAL(queriesCount, 3U);

  1395. 

  1396.   /* again, to test the cache */

  1397.   ret.clear();

  1398.   res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  1399.   BOOST_CHECK_EQUAL(res, RCode::NoError);

  1400.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication);

  1401.   BOOST_REQUIRE_EQUAL(ret.size(), 0U);

  1402.   /* we don't store empty results */

  1403.   BOOST_CHECK_EQUAL(queriesCount, 4U);

  1404. }

  1405. 

  1406. BOOST_AUTO_TEST_CASE(test_dnssec_bogus_nxdomain)

  1407. {

  1408.   std::unique_ptr<SyncRes> sr;

  1409.   initSR(sr, true);

  1410. 

  1411.   setDNSSECValidation(sr, DNSSECMode::ValidateAll);

  1412. 

  1413.   primeHints();

  1414.   const DNSName target("powerdns.com.");

  1415.   testkeysset_t keys;

  1416. 

  1417.   auto luaconfsCopy = g_luaconfs.getCopy();

  1418.   luaconfsCopy.dsAnchors.clear();

  1419.   generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  1420.   generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys, luaconfsCopy.dsAnchors);

  1421.   generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);

  1422.   g_luaconfs.setState(luaconfsCopy);

  1423. 

  1424.   size_t queriesCount = 0;

  1425. 

  1426.   sr->setAsyncCallback([target, &queriesCount, keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {

  1427.     queriesCount++;

  1428. 

  1429.     if (type == QType::DS || type == QType::DNSKEY) {

  1430.       return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);

  1431.     }

  1432.     else {

  1433. 

  1434.       setLWResult(res, RCode::NXDomain, true, false, true);

  1435.       return 1;

  1436.     }

  1437. 

  1438.     return 0;

  1439.   });

  1440. 

  1441.   vector<DNSRecord> ret;

  1442.   int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  1443.   BOOST_CHECK_EQUAL(res, RCode::NXDomain);

  1444.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication);

  1445.   BOOST_REQUIRE_EQUAL(ret.size(), 0U);

  1446.   /* com|NS, powerdns.com|NS, powerdns.com|A */

  1447.   BOOST_CHECK_EQUAL(queriesCount, 3U);

  1448. 

  1449.   /* again, to test the cache */

  1450.   ret.clear();

  1451.   res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);

  1452.   BOOST_CHECK_EQUAL(res, RCode::NXDomain);

  1453.   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication);

  1454.   BOOST_REQUIRE_EQUAL(ret.size(), 0U);

  1455.   /* we don't store empty results */

  1456.   BOOST_CHECK_EQUAL(queriesCount, 4U);

  1457. }

  1458. 

  1459. BOOST_AUTO_TEST_SUITE_END()