Fully support *ring* for all DNSSEC operations. (#1145)

* add more debug information to DNSSEC validation * update ring validation to allow 1024bit keys for all Algorithm types * disable dnssec tests in std builds * ensure TrustAnchor is constructed properly in DnsSecSyncClient * add key length to DNSKEY display
2020-06-23 10:46:22 -07:00
parent e1ef6e0886
commit 2710b9f4f4
12 changed files with 169 additions and 69 deletions
--- a/crates/resolver/src/async_resolver.rs
+++ b/crates/resolver/src/async_resolver.rs
@@ -569,12 +569,15 @@ pub mod testing {
    }

    /// Test IP lookup from URLs with DNSSec validation.
+    #[cfg(feature = "dnssec")]
    pub fn sec_lookup_test<E: Executor + Send + 'static, R: RuntimeProvider>(
        mut exec: E,
        handle: R::Handle,
    ) where
        <<R as RuntimeProvider>::Tcp as Connect>::Transport: Unpin,
    {
+        //env_logger::try_init().ok();
+
        let resolver = AsyncResolver::<GenericConnection, GenericConnectionProvider<R>>::new(
            ResolverConfig::default(),
            ResolverOpts {
@@ -590,7 +593,7 @@ pub mod testing {
            .expect("failed to run lookup");

        // TODO: this test is flaky, sometimes 1 is returned, sometimes 2...
-        assert_eq!(response.iter().count(), 1);
+        //assert_eq!(response.iter().count(), 1);
        for address in response.iter() {
            if address.is_ipv4() {
                assert_eq!(address, IpAddr::V4(Ipv4Addr::new(93, 184, 216, 34)));
@@ -607,6 +610,7 @@ pub mod testing {

    /// Test IP lookup from domains that exist but unsigned with DNSSec validation.
    #[allow(deprecated)]
+    #[cfg(feature = "dnssec")]
    pub fn sec_lookup_fails_test<E: Executor + Send + 'static, R: RuntimeProvider>(
        mut exec: E,
        handle: R::Handle,
@@ -638,10 +642,10 @@ pub mod testing {
        let error_str = format!("{}", error);
        let expected_str = format!(
            "{}",
-            ProtoError::from(ProtoErrorKind::RrsigsNotPresent {
+            ResolveError::from(ProtoError::from(ProtoErrorKind::RrsigsNotPresent {
                name,
                record_type: RecordType::A
-            })
+            }))
        );
        assert_eq!(error_str, expected_str);
        if let ResolveErrorKind::Proto(_) = *error.kind() {
@@ -1176,7 +1180,7 @@ mod tests {
    }

    #[test]
-    #[ignore] // these appear to not work on CI
+    #[cfg(feature = "dnssec")]
    fn test_sec_lookup() {
        use super::testing::sec_lookup_test;
        let io_loop = Runtime::new().expect("failed to create tokio runtime io_loop");
@@ -1185,7 +1189,7 @@ mod tests {
    }

    #[test]
-    #[ignore] // these appear to not work on CI
+    #[cfg(feature = "dnssec")]
    fn test_sec_lookup_fails() {
        use super::testing::sec_lookup_fails_test;
        let io_loop = Runtime::new().expect("failed to create tokio runtime io_loop");