-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathdnssec_test.go
350 lines (333 loc) · 13.7 KB
/
dnssec_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
package file
import (
"context"
"strings"
"testing"
"github.com/coredns/coredns/plugin/pkg/dnstest"
"github.com/coredns/coredns/plugin/test"
"github.com/miekg/dns"
)
// All OPT RR are added in server.go, so we don't specify them in the unit tests.
var dnssecTestCases = []test.Case{
{
Qname: "miek.nl.", Qtype: dns.TypeSOA, Do: true,
Answer: []dns.RR{
test.RRSIG("miek.nl. 1800 IN RRSIG SOA 8 2 1800 20160426031301 20160327031301 12051 miek.nl. FIrzy07acBbtyQczy1dc="),
test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
},
Ns: auth,
},
{
Qname: "miek.nl.", Qtype: dns.TypeAAAA, Do: true,
Answer: []dns.RR{
test.AAAA("miek.nl. 1800 IN AAAA 2a01:7e00::f03c:91ff:fef1:6735"),
test.RRSIG("miek.nl. 1800 IN RRSIG AAAA 8 2 1800 20160426031301 20160327031301 12051 miek.nl. SsRT="),
},
Ns: auth,
},
{
Qname: "miek.nl.", Qtype: dns.TypeNS, Do: true,
Answer: []dns.RR{
test.NS("miek.nl. 1800 IN NS ext.ns.whyscream.net."),
test.NS("miek.nl. 1800 IN NS linode.atoom.net."),
test.NS("miek.nl. 1800 IN NS ns-ext.nlnetlabs.nl."),
test.NS("miek.nl. 1800 IN NS omval.tednet.nl."),
test.RRSIG("miek.nl. 1800 IN RRSIG NS 8 2 1800 20160426031301 20160327031301 12051 miek.nl. ZLtsQhwaz+lHfNpztFoR1Vxs="),
},
},
{
Qname: "miek.nl.", Qtype: dns.TypeMX, Do: true,
Answer: []dns.RR{
test.MX("miek.nl. 1800 IN MX 1 aspmx.l.google.com."),
test.MX("miek.nl. 1800 IN MX 10 aspmx2.googlemail.com."),
test.MX("miek.nl. 1800 IN MX 10 aspmx3.googlemail.com."),
test.MX("miek.nl. 1800 IN MX 5 alt1.aspmx.l.google.com."),
test.MX("miek.nl. 1800 IN MX 5 alt2.aspmx.l.google.com."),
test.RRSIG("miek.nl. 1800 IN RRSIG MX 8 2 1800 20160426031301 20160327031301 12051 miek.nl. kLqG+iOr="),
},
Ns: auth,
},
{
Qname: "www.miek.nl.", Qtype: dns.TypeA, Do: true,
Answer: []dns.RR{
test.A("a.miek.nl. 1800 IN A 139.162.196.78"),
test.RRSIG("a.miek.nl. 1800 IN RRSIG A 8 3 1800 20160426031301 20160327031301 12051 miek.nl. lxLotCjWZ3kihTxk="),
test.CNAME("www.miek.nl. 1800 IN CNAME a.miek.nl."),
test.RRSIG("www.miek.nl. 1800 RRSIG CNAME 8 3 1800 20160426031301 20160327031301 12051 miek.nl. NVZmMJaypS+wDL2Lar4Zw1zF"),
},
Ns: auth,
},
{
// NoData
Qname: "a.miek.nl.", Qtype: dns.TypeSRV, Do: true,
Ns: []dns.RR{
test.NSEC("a.miek.nl. 14400 IN NSEC archive.miek.nl. A AAAA RRSIG NSEC"),
test.RRSIG("a.miek.nl. 14400 IN RRSIG NSEC 8 3 14400 20160426031301 20160327031301 12051 miek.nl. GqnF6cutipmSHEao="),
test.RRSIG("miek.nl. 1800 IN RRSIG SOA 8 2 1800 20160426031301 20160327031301 12051 miek.nl. FIrzy07acBbtyQczy1dc="),
test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
},
},
{
Qname: "b.miek.nl.", Qtype: dns.TypeA, Do: true,
Rcode: dns.RcodeNameError,
Ns: []dns.RR{
test.NSEC("archive.miek.nl. 14400 IN NSEC go.dns.miek.nl. CNAME RRSIG NSEC"),
test.RRSIG("archive.miek.nl. 14400 IN RRSIG NSEC 8 3 14400 20160426031301 20160327031301 12051 miek.nl. jEpx8lcp4do5fWXg="),
test.NSEC("miek.nl. 14400 IN NSEC a.miek.nl. A NS SOA MX AAAA RRSIG NSEC DNSKEY"),
test.RRSIG("miek.nl. 14400 IN RRSIG NSEC 8 2 14400 20160426031301 20160327031301 12051 miek.nl. mFfc3r/9PSC1H6oSpdC"),
test.RRSIG("miek.nl. 1800 IN RRSIG SOA 8 2 1800 20160426031301 20160327031301 12051 miek.nl. FIrzy07acBbtyQczy1dc="),
test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
},
},
{
Qname: "b.blaat.miek.nl.", Qtype: dns.TypeA, Do: true,
Rcode: dns.RcodeNameError,
Ns: []dns.RR{
test.NSEC("archive.miek.nl. 14400 IN NSEC go.dns.miek.nl. CNAME RRSIG NSEC"),
test.RRSIG("archive.miek.nl. 14400 IN RRSIG NSEC 8 3 14400 20160426031301 20160327031301 12051 miek.nl. jEpx8lcp4do5fWXg="),
test.NSEC("miek.nl. 14400 IN NSEC a.miek.nl. A NS SOA MX AAAA RRSIG NSEC DNSKEY"),
test.RRSIG("miek.nl. 14400 IN RRSIG NSEC 8 2 14400 20160426031301 20160327031301 12051 miek.nl. mFfc3r/9PSC1H6oSpdC"),
test.RRSIG("miek.nl. 1800 IN RRSIG SOA 8 2 1800 20160426031301 20160327031301 12051 miek.nl. FIrzy07acBbtyQczy1dc="),
test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
},
},
{
Qname: "b.a.miek.nl.", Qtype: dns.TypeA, Do: true,
Rcode: dns.RcodeNameError,
Ns: []dns.RR{
// dedupped NSEC, because 1 nsec tells all
test.NSEC("a.miek.nl. 14400 IN NSEC archive.miek.nl. A AAAA RRSIG NSEC"),
test.RRSIG("a.miek.nl. 14400 IN RRSIG NSEC 8 3 14400 20160426031301 20160327031301 12051 miek.nl. GqnF6cut/RRGPQ1QGQE1ipmSHEao="),
test.RRSIG("miek.nl. 1800 IN RRSIG SOA 8 2 1800 20160426031301 20160327031301 12051 miek.nl. FIrzy07acBbtyQczy1dc="),
test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
},
},
}
var auth = []dns.RR{
test.NS("miek.nl. 1800 IN NS ext.ns.whyscream.net."),
test.NS("miek.nl. 1800 IN NS linode.atoom.net."),
test.NS("miek.nl. 1800 IN NS ns-ext.nlnetlabs.nl."),
test.NS("miek.nl. 1800 IN NS omval.tednet.nl."),
test.RRSIG("miek.nl. 1800 IN RRSIG NS 8 2 1800 20160426031301 20160327031301 12051 miek.nl. ZLtsQhwazbqSpztFoR1Vxs="),
}
func TestLookupDNSSEC(t *testing.T) {
zone, err := Parse(strings.NewReader(dbMiekNLSigned), testzone, "stdin", 0)
if err != nil {
t.Fatalf("Expected no error when reading zone, got %q", err)
}
fm := File{Next: test.ErrorHandler(), Zones: Zones{Z: map[string]*Zone{testzone: zone}, Names: []string{testzone}}}
ctx := context.TODO()
for _, tc := range dnssecTestCases {
m := tc.Msg()
rec := dnstest.NewRecorder(&test.ResponseWriter{})
_, err := fm.ServeDNS(ctx, rec, m)
if err != nil {
t.Errorf("Expected no error, got %v", err)
return
}
resp := rec.Msg
if err := test.SortAndCheck(resp, tc); err != nil {
t.Error(err)
}
}
}
func BenchmarkFileLookupDNSSEC(b *testing.B) {
zone, err := Parse(strings.NewReader(dbMiekNLSigned), testzone, "stdin", 0)
if err != nil {
return
}
fm := File{Next: test.ErrorHandler(), Zones: Zones{Z: map[string]*Zone{testzone: zone}, Names: []string{testzone}}}
ctx := context.TODO()
rec := dnstest.NewRecorder(&test.ResponseWriter{})
tc := test.Case{
Qname: "b.miek.nl.", Qtype: dns.TypeA, Do: true,
Rcode: dns.RcodeNameError,
Ns: []dns.RR{
test.NSEC("archive.miek.nl. 14400 IN NSEC go.dns.miek.nl. CNAME RRSIG NSEC"),
test.RRSIG("archive.miek.nl. 14400 IN RRSIG NSEC 8 3 14400 20160426031301 20160327031301 12051 miek.nl. jEpx8lcp4do5fWXg="),
test.NSEC("miek.nl. 14400 IN NSEC a.miek.nl. A NS SOA MX AAAA RRSIG NSEC DNSKEY"),
test.RRSIG("miek.nl. 14400 IN RRSIG NSEC 8 2 14400 20160426031301 20160327031301 12051 miek.nl. mFfc3r/9PSC1H6oSpdC"),
test.RRSIG("miek.nl. 1800 IN RRSIG SOA 8 2 1800 20160426031301 20160327031301 12051 miek.nl. FIrzy07acBbtyQczy1dc="),
test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
},
}
m := tc.Msg()
b.ResetTimer()
for i := 0; i < b.N; i++ {
fm.ServeDNS(ctx, rec, m)
}
}
const dbMiekNLSigned = `
; File written on Sun Mar 27 04:13:01 2016
; dnssec_signzone version 9.10.3-P4-Ubuntu
miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. (
1459051981 ; serial
14400 ; refresh (4 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
14400 ; minimum (4 hours)
)
1800 RRSIG SOA 8 2 1800 (
20160426031301 20160327031301 12051 miek.nl.
FIrzy07acBzrf6kNW13Ypmq/ahojoMqOj0qJ
ixTevTvwOEcVuw9GlJoYIHTYg+hm1sZHtx9K
RiVmYsm8SHKsJA1WzixtT4K7vQvM+T+qbeOJ
xA6YTivKUcGRWRXQlOTUAlHS/KqBEfmxKgRS
68G4oOEClFDSJKh7RbtyQczy1dc= )
1800 NS ext.ns.whyscream.net.
1800 NS omval.tednet.nl.
1800 NS linode.atoom.net.
1800 NS ns-ext.nlnetlabs.nl.
1800 RRSIG NS 8 2 1800 (
20160426031301 20160327031301 12051 miek.nl.
ZLtsQhwaz+CwrgzgFiEAqbqS/JH65MYjziA3
6EXwlGDy41lcfGm71PpxA7cDzFhWNkJNk4QF
q48wtpP4IGPPpHbnJHKDUXj6se7S+ylAGbS+
VgVJ4YaVcE6xA9ZVhVpz8CSSjeH34vmqq9xj
zmFjofuDvraZflHfNpztFoR1Vxs= )
1800 A 139.162.196.78
1800 RRSIG A 8 2 1800 (
20160426031301 20160327031301 12051 miek.nl.
hl+6Q075tsCkxIqbop8zZ6U8rlFvooz7Izzx
MgCZYVLcg75El28EXKIhBfRb1dPaKbd+v+AD
wrJMHL131pY5sU2Ly05K+7CqmmyaXgDaVsKS
rSw/TbhGDIItBemeseeuXGAKAbY2+gE7kNN9
mZoQ9hRB3SrxE2jhctv66DzYYQQ= )
1800 MX 1 aspmx.l.google.com.
1800 MX 5 alt1.aspmx.l.google.com.
1800 MX 5 alt2.aspmx.l.google.com.
1800 MX 10 aspmx2.googlemail.com.
1800 MX 10 aspmx3.googlemail.com.
1800 RRSIG MX 8 2 1800 (
20160426031301 20160327031301 12051 miek.nl.
kLqG+iOrKSzms1H9Et9me8Zts1rbyeCFSVQD
G9is/u6ec3Lqg2vwJddf/yRsjVpVgadWSAkc
GSDuD2dK8oBeP24axWc3Z1OY2gdMI7w+PKWT
Z+pjHVjbjM47Ii/a6jk5SYeOwpGMsdEwhtTP
vk2O2WGljifqV3uE7GshF5WNR10= )
1800 AAAA 2a01:7e00::f03c:91ff:fef1:6735
1800 RRSIG AAAA 8 2 1800 (
20160426031301 20160327031301 12051 miek.nl.
SsRTHytW4YTAuHovHQgfIMhNwMtMp4gaAU/Z
lgTO+IkBb9y9F8uHrf25gG6RqA1bnGV/gezV
NU5negXm50bf1BNcyn3aCwEbA0rCGYIL+nLJ
szlBVbBu6me/Ym9bbJlfgfHRDfsVy2ZkNL+B
jfNQtGCSDoJwshjcqJlfIVSardo= )
14400 NSEC a.miek.nl. A NS SOA MX AAAA RRSIG NSEC DNSKEY
14400 RRSIG NSEC 8 2 14400 (
20160426031301 20160327031301 12051 miek.nl.
mFfc3r/9PSC1H6oSpdC+FDy/Iu02W2Tf0x+b
n6Lpe1gCC1uvcSUrrmBNlyAWRr5Zm+ZXssEb
cKddRGiu/5sf0bUWrs4tqokL/HUl10X/sBxb
HfwNAeD7R7+CkpMv67li5AhsDgmQzpX2r3P6
/6oZyLvODGobysbmzeWM6ckE8IE= )
1800 DNSKEY 256 3 8 (
AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6
E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5EC
IoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb
2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXH
Py7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz
) ; ZSK; alg = RSASHA256; key id = 12051
1800 DNSKEY 257 3 8 (
AwEAAcWdjBl4W4wh/hPxMDcBytmNCvEngIgB
9Ut3C2+QI0oVz78/WK9KPoQF7B74JQ/mjO4f
vIncBmPp6mFNxs9/WQX0IXf7oKviEVOXLjct
R4D1KQLX0wprvtUIsQFIGdXaO6suTT5eDbSd
6tTwu5xIkGkDmQhhH8OQydoEuCwV245ZwF/8
AIsqBYDNQtQ6zhd6jDC+uZJXg/9LuPOxFHbi
MTjp6j3CCW0kHbfM/YHZErWWtjPj3U3Z7knQ
SIm5PO5FRKBEYDdr5UxWJ/1/20SrzI3iztvP
wHDsA2rdHm/4YRzq7CvG4N0t9ac/T0a0Sxba
/BUX2UVPWaIVBdTRBtgHi0s=
) ; KSK; alg = RSASHA256; key id = 33694
1800 RRSIG DNSKEY 8 2 1800 (
20160426031301 20160327031301 12051 miek.nl.
o/D6o8+/bNGQyyRvwZ2hM0BJ+3HirvNjZoko
yGhGe9sPSrYU39WF3JVIQvNJFK6W3/iwlKir
TPOeYlN6QilnztFq1vpCxwj2kxJaIJhZecig
LsKxY/fOHwZlIbBLZZadQG6JoGRLHnImSzpf
xtyVaXQtfnJFC07HHt9np3kICfE= )
1800 RRSIG DNSKEY 8 2 1800 (
20160426031301 20160327031301 33694 miek.nl.
Ak/mbbQVQV+nUgw5Sw/c+TSoYqIwbLARzuNE
QJvJNoRR4tKVOY6qSxQv+j5S7vzyORZ+yeDp
NlEa1T9kxZVBMABoOtLX5kRqZncgijuH8fxb
L57Sv2IzINI9+DOcy9Q9p9ygtwYzQKrYoNi1
0hwHi6emGkVG2gGghruMinwOJASGgQy487Yd
eIpcEKJRw73nxd2le/4/Vafy+mBpKWOczfYi
5m9MSSxcK56NFYjPG7TvdIw0m70F/smY9KBP
pGWEdzRQDlqfZ4fpDaTAFGyRX0mPFzMbs1DD
3hQ4LHUSi/NgQakdH9eF42EVEDeL4cI69K98
6NNk6X9TRslO694HKw== )
a.miek.nl. 1800 IN A 139.162.196.78
1800 RRSIG A 8 3 1800 (
20160426031301 20160327031301 12051 miek.nl.
lxLotCjWZ3kikNNcePu6HOCqMHDINKFRJRD8
laz2KQ9DKtgXPdnRw5RJvVITSj8GUVzw1ec1
CYVEKu/eMw/rc953Zns528QBypGPeMNLe2vu
C6a6UhZnGHA48dSd9EX33eSJs0MP9xsC9csv
LGdzYmv++eslkKxkhSOk2j/hTxk= )
1800 AAAA 2a01:7e00::f03c:91ff:fef1:6735
1800 RRSIG AAAA 8 3 1800 (
20160426031301 20160327031301 12051 miek.nl.
ji3QMlaUzlK85ppB5Pc+y2WnfqOi6qrm6dm1
bXgsEov/5UV1Lmcv8+Y5NBbTbBlXGlWcpqNp
uWpf9z3lbguDWznpnasN2MM8t7yxo/Cr7WRf
QCzui7ewpWiA5hq7j0kVbM4nnDc6cO+U93hO
mMhVbeVI70HM2m0HaHkziEyzVZk= )
14400 NSEC archive.miek.nl. A AAAA RRSIG NSEC
14400 RRSIG NSEC 8 3 14400 (
20160426031301 20160327031301 12051 miek.nl.
GqnF6cut/KCxbnJj27MCjjVGkjObV0hLhHOP
E1/GXAUTEKG6BWxJq8hidS3p/yrOmP5PEL9T
4FjBp0/REdVmGpuLaiHyMselES82p/uMMdY5
QqRM6LHhZdO1zsRbyzOZbm5MsW6GR7K2kHlX
9TdBIULiRRGPQ1QGQE1ipmSHEao= )
archive.miek.nl. 1800 IN CNAME a.miek.nl.
1800 RRSIG CNAME 8 3 1800 (
20160426031301 20160327031301 12051 miek.nl.
s4zVJiDrVuUiUFr8CNQLuXYYfpqpl8rovL50
BYsub/xK756NENiOTAOjYH6KYg7RSzsygJjV
YQwXolZly2/KXAr48SCtxzkGFxLexxiKcFaj
vm7ZDl7Btoa5l68qmBcxOX5E/W0IKITi4PNK
mhBs7dlaf0IbPGNgMxae72RosxM= )
14400 NSEC go.dns.miek.nl. CNAME RRSIG NSEC
14400 RRSIG NSEC 8 3 14400 (
20160426031301 20160327031301 12051 miek.nl.
jEp7LsoK++/PRFh2HieLzasA1jXBpp90NyDf
RfpfOxdM69yRKfvXMc2bazIiMuDhxht79dGI
Gj02cn1cvX60SlaHkeFtqTdJcHdK9rbI65EK
YHFZFzGh9XVnuMJKpUsm/xS1dnUSAnXN8q+0
xBlUDlQpsAFv/cx8lcp4do5fWXg= )
go.dns.miek.nl. 1800 IN TXT "Hello!"
1800 RRSIG TXT 8 4 1800 (
20160426031301 20160327031301 12051 miek.nl.
O0uo1NsXTq2TTfgOmGbHQQEchrcpllaDAMMX
dTDizw3t+vZ5SR32qJ8W7y6VXLgUqJgcdRxS
Fou1pp+t5juRZSQ0LKgxMpZAgHorkzPvRf1b
E9eBKrDSuLGagsQRwHeldFGFgsXtCbf07vVH
zoKR8ynuG4/cAoY0JzMhCts+56U= )
14400 NSEC www.miek.nl. TXT RRSIG NSEC
14400 RRSIG NSEC 8 4 14400 (
20160426031301 20160327031301 12051 miek.nl.
BW6qo7kYe3Z+Y0ebaVTWTy1c3bpdf8WUEoXq
WDQxLDEj2fFiuEBDaSN5lTWRg3wj8kZmr6Uk
LvX0P29lbATFarIgkyiAdbOEdaf88nMfqBW8
z2T5xrPQcN0F13uehmv395yAJs4tebRxErMl
KdkVF0dskaDvw8Wo3YgjHUf6TXM= )
www.miek.nl. 1800 IN CNAME a.miek.nl.
1800 RRSIG CNAME 8 3 1800 (
20160426031301 20160327031301 12051 miek.nl.
MiQQh2lScoNiNVZmMJaypS+wDL2Lar4Zw1zF
Uo4tL16BfQOt7yl8gXdAH2JMFqoKAoIdM2K6
XwFOwKTOGSW0oNCOcaE7ts+1Z1U0H3O2tHfq
FAzfg1s9pQ5zxk8J/bJgkVIkw2/cyB0y1/PK
EmIqvChBSb4NchTuMCSqo63LJM8= )
14400 NSEC miek.nl. CNAME RRSIG NSEC
14400 RRSIG NSEC 8 3 14400 (
20160426031301 20160327031301 12051 miek.nl.
OPPZ8iaUPrVKEP4cqeCiiv1WLRAY30GRIhc/
me0gBwFkbmTEnvB+rUp831OJZDZBNKv4QdZj
Uyc26wKUOQeUyMJqv4IRDgxH7nq9GB5JRjYZ
IVxtGD1aqWLXz+8aMaf9ARJjtYUd3K4lt8Wz
LbJSo5Wdq7GOWqhgkY5n3XD0/FA= )`