Merge pull request #51 from ferrous-systems/ja-hickory-name-server-take-2

support Hickory in the NameServer role

packages/conformance-tests/src/lib.rs

@@ -1,3 +1,4 @@
 #![cfg(test)]
 
+mod name_server;
 mod resolver;

packages/conformance-tests/src/name_server.rs

@@ -0,0 +1,2 @@
+mod rfc4035;
+mod scenarios;

packages/conformance-tests/src/name_server/rfc4035.rs

@@ -0,0 +1 @@
+mod section_3;

packages/conformance-tests/src/name_server/rfc4035/section_3.rs

@@ -0,0 +1 @@
+mod section_3_1;

packages/conformance-tests/src/name_server/rfc4035/section_3/section_3_1.rs

@@ -0,0 +1 @@
+mod section_3_1_1;

packages/conformance-tests/src/name_server/rfc4035/section_3/section_3_1/section_3_1_1.rs

@@ -0,0 +1,64 @@
+use dns_test::client::{Client, DigSettings};
+use dns_test::name_server::NameServer;
+use dns_test::record::{Record, RecordType};
+use dns_test::{Network, Result, FQDN};
+
+#[test]
+#[ignore]
+fn rrsig_in_answer_section() -> Result<()> {
+    let network = Network::new()?;
+
+    let ns = NameServer::new(&dns_test::subject(), FQDN::ROOT, &network)?
+        .sign()?
+        .start()?;
+
+    let client = Client::new(&network)?;
+    let ns_fqdn = ns.fqdn();
+    let ans = client.dig(
+        *DigSettings::default().dnssec(),
+        ns.ipv4_addr(),
+        RecordType::A,
+        ns_fqdn,
+    )?;
+
+    assert!(ans.status.is_noerror());
+    let [a, rrsig] = ans.answer.try_into().unwrap();
+
+    assert!(matches!(a, Record::A(..)));
+    let rrsig = rrsig.try_into_rrsig().unwrap();
+    assert_eq!(RecordType::A, rrsig.type_covered);
+    assert_eq!(ns_fqdn, &rrsig.fqdn);
+
+    Ok(())
+}
+
+#[test]
+#[ignore]
+fn rrsig_in_authority_section() -> Result<()> {
+    let network = Network::new()?;
+
+    let ns = NameServer::new(&dns_test::subject(), FQDN::ROOT, &network)?
+        .sign()?
+        .start()?;
+
+    let client = Client::new(&network)?;
+    let ans = client.dig(
+        *DigSettings::default().dnssec(),
+        ns.ipv4_addr(),
+        RecordType::SOA,
+        &FQDN::ROOT,
+    )?;
+
+    assert!(ans.status.is_noerror());
+    let [ns, rrsig] = ans.authority.try_into().unwrap();
+
+    assert!(matches!(ns, Record::NS(..)));
+    let rrsig = rrsig.try_into_rrsig().unwrap();
+    assert_eq!(RecordType::NS, rrsig.type_covered);
+    assert_eq!(FQDN::ROOT, rrsig.fqdn);
+
+    Ok(())
+}
+
+// TODO Additional section
+// TODO TC bit

packages/conformance-tests/src/name_server/scenarios.rs

@@ -0,0 +1,23 @@
+use dns_test::client::{Client, DigSettings};
+use dns_test::name_server::NameServer;
+use dns_test::record::RecordType;
+use dns_test::{Network, Result, FQDN};
+
+#[test]
+fn authoritative_answer() -> Result<()> {
+    let network = &Network::new()?;
+    let ns = NameServer::new(&dns_test::subject(), FQDN::ROOT, network)?.start()?;
+
+    let client = Client::new(network)?;
+    let ans = client.dig(
+        DigSettings::default(),
+        ns.ipv4_addr(),
+        RecordType::SOA,
+        &FQDN::ROOT,
+    )?;
+
+    assert!(ans.status.is_noerror());
+    assert!(ans.flags.authoritative_answer);
+
+    Ok(())
+}

packages/dns-test/src/docker/hickory.Dockerfile

@@ -1,7 +1,9 @@
 FROM rust:1-slim-bookworm
 
+# ldns-utils = ldns-{key2ds,keygen,signzone}
 RUN apt-get update && \
     apt-get install -y \
+        ldnsutils \
         tshark
 
 # `dns-test` will invoke `docker build` from a temporary directory that contains

packages/dns-test/src/implementation.rs

@@ -34,13 +34,6 @@ pub enum Role {
     Resolver,
 }
 
-impl Role {
-    #[must_use]
-    pub fn is_resolver(&self) -> bool {
-        matches!(self, Self::Resolver)
-    }
-}
-
 #[derive(Clone)]
 pub enum Implementation {
     Bind,
@@ -112,7 +105,12 @@ impl Implementation {
                     )
                 }
 
-                Self::Hickory(_) => unimplemented!(),
+                Self::Hickory(_) => {
+                    minijinja::render!(
+                        include_str!("templates/hickory.name-server.toml.jinja"),
+                        fqdn => origin.as_str()
+                    )
+                }
             },
         }
     }
@@ -134,14 +132,7 @@ impl Implementation {
         match self {
             Implementation::Bind => &["named", "-g", "-d5"],
 
-            Implementation::Hickory(_) => {
-                assert!(
-                    role.is_resolver(),
-                    "hickory acting in `NameServer` role is currently not supported"
-                );
-
-                &["hickory-dns", "-d"]
-            }
+            Implementation::Hickory(_) => &["hickory-dns", "-d"],
 
             Implementation::Unbound => match role {
                 Role::NameServer => &["nsd", "-d"],

packages/dns-test/src/name_server.rs

@@ -156,14 +156,6 @@ impl NameServer<Stopped> {
     /// - one NS record, with this name server's FQDN set as the only available name server for
     /// the zone
     pub fn new(implementation: &Implementation, zone: FQDN, network: &Network) -> Result<Self> {
-        assert!(
-            matches!(
-                implementation,
-                Implementation::Unbound | Implementation::Bind
-            ),
-            "currently only `unbound` (`nsd`) and BIND can be used as a `NameServer`"
-        );
-
         let ns_count = ns_count();
         let nameserver = primary_ns(ns_count);
         let image = implementation.clone().into();

packages/dns-test/src/templates/hickory.name-server.toml.jinja

@@ -0,0 +1,4 @@
+[[zones]]
+zone = "{{ fqdn }}"
+zone_type = "Primary"
+file = "/etc/zones/main.zone"