From 05ffecec45d8098fd29e8ac1d1bf4f47abc1f4e6 Mon Sep 17 00:00:00 2001
From: Jorge Aparicio <jorge.aparicio@ferrous-systems.com>
Date: Mon, 11 Mar 2024 14:15:44 +0100
Subject: [PATCH] add a few NameServer role DNSSEC tests

---
 packages/conformance-tests/src/lib.rs         |  1 +
 packages/conformance-tests/src/name_server.rs |  1 +
 .../src/name_server/rfc4035.rs                |  1 +
 .../src/name_server/rfc4035/section_3.rs      |  1 +
 .../rfc4035/section_3/section_3_1.rs          |  1 +
 .../section_3/section_3_1/section_3_1_1.rs    | 61 +++++++++++++++++++
 6 files changed, 66 insertions(+)
 create mode 100644 packages/conformance-tests/src/name_server.rs
 create mode 100644 packages/conformance-tests/src/name_server/rfc4035.rs
 create mode 100644 packages/conformance-tests/src/name_server/rfc4035/section_3.rs
 create mode 100644 packages/conformance-tests/src/name_server/rfc4035/section_3/section_3_1.rs
 create mode 100644 packages/conformance-tests/src/name_server/rfc4035/section_3/section_3_1/section_3_1_1.rs

diff --git a/packages/conformance-tests/src/lib.rs b/packages/conformance-tests/src/lib.rs
index dd939657..a92b491a 100644
--- a/packages/conformance-tests/src/lib.rs
+++ b/packages/conformance-tests/src/lib.rs
@@ -1,3 +1,4 @@
 #![cfg(test)]
 
+mod name_server;
 mod resolver;
diff --git a/packages/conformance-tests/src/name_server.rs b/packages/conformance-tests/src/name_server.rs
new file mode 100644
index 00000000..c7c01a74
--- /dev/null
+++ b/packages/conformance-tests/src/name_server.rs
@@ -0,0 +1 @@
+mod rfc4035;
diff --git a/packages/conformance-tests/src/name_server/rfc4035.rs b/packages/conformance-tests/src/name_server/rfc4035.rs
new file mode 100644
index 00000000..10712e9e
--- /dev/null
+++ b/packages/conformance-tests/src/name_server/rfc4035.rs
@@ -0,0 +1 @@
+mod section_3;
diff --git a/packages/conformance-tests/src/name_server/rfc4035/section_3.rs b/packages/conformance-tests/src/name_server/rfc4035/section_3.rs
new file mode 100644
index 00000000..137bed61
--- /dev/null
+++ b/packages/conformance-tests/src/name_server/rfc4035/section_3.rs
@@ -0,0 +1 @@
+mod section_3_1;
diff --git a/packages/conformance-tests/src/name_server/rfc4035/section_3/section_3_1.rs b/packages/conformance-tests/src/name_server/rfc4035/section_3/section_3_1.rs
new file mode 100644
index 00000000..5656f46d
--- /dev/null
+++ b/packages/conformance-tests/src/name_server/rfc4035/section_3/section_3_1.rs
@@ -0,0 +1 @@
+mod section_3_1_1;
diff --git a/packages/conformance-tests/src/name_server/rfc4035/section_3/section_3_1/section_3_1_1.rs b/packages/conformance-tests/src/name_server/rfc4035/section_3/section_3_1/section_3_1_1.rs
new file mode 100644
index 00000000..8477b76a
--- /dev/null
+++ b/packages/conformance-tests/src/name_server/rfc4035/section_3/section_3_1/section_3_1_1.rs
@@ -0,0 +1,61 @@
+use dns_test::client::{Client, DigSettings};
+use dns_test::name_server::NameServer;
+use dns_test::record::{Record, RecordType};
+use dns_test::{Network, Result, FQDN};
+
+#[test]
+fn rrsig_in_answer_section() -> Result<()> {
+    let network = Network::new()?;
+
+    let ns = NameServer::new(&dns_test::subject(), FQDN::ROOT, &network)?
+        .sign()?
+        .start()?;
+
+    let client = Client::new(&network)?;
+    let ns_fqdn = ns.fqdn();
+    let ans = client.dig(
+        *DigSettings::default().dnssec(),
+        ns.ipv4_addr(),
+        RecordType::A,
+        ns_fqdn,
+    )?;
+
+    assert!(ans.status.is_noerror());
+    let [a, rrsig] = ans.answer.try_into().unwrap();
+
+    assert!(matches!(a, Record::A(..)));
+    let rrsig = rrsig.try_into_rrsig().unwrap();
+    assert_eq!(RecordType::A, rrsig.type_covered);
+    assert_eq!(ns_fqdn, &rrsig.fqdn);
+
+    Ok(())
+}
+
+#[test]
+fn rrsig_in_authority_section() -> Result<()> {
+    let network = Network::new()?;
+
+    let ns = NameServer::new(&dns_test::subject(), FQDN::ROOT, &network)?
+        .sign()?
+        .start()?;
+
+    let client = Client::new(&network)?;
+    let ans = client.dig(
+        *DigSettings::default().dnssec(),
+        ns.ipv4_addr(),
+        RecordType::SOA,
+        &FQDN::ROOT,
+    )?;
+
+    assert!(ans.status.is_noerror());
+    let [ns, rrsig] = ans.authority.try_into().unwrap();
+
+    assert!(matches!(ns, Record::NS(..)));
+    let rrsig = rrsig.try_into_rrsig().unwrap();
+    assert_eq!(RecordType::NS, rrsig.type_covered);
+    assert_eq!(FQDN::ROOT, rrsig.fqdn);
+
+    Ok(())
+}
+
+// TODO Additional section