add more EDE tests
This commit is contained in:
parent
4d31eca533
commit
b96aa89da9
@ -8,25 +8,11 @@ use dns_test::{Network, Resolver, Result, FQDN};
|
|||||||
#[ignore]
|
#[ignore]
|
||||||
#[test]
|
#[test]
|
||||||
fn dnskey_missing() -> Result<()> {
|
fn dnskey_missing() -> Result<()> {
|
||||||
let subject = dns_test::subject();
|
fixture(
|
||||||
let supports_ede = subject.supports_ede();
|
ExtendedDnsError::DnskeyMissing,
|
||||||
|
|_needle_fqdn, zone, records| {
|
||||||
let expected_ipv4_addr = Ipv4Addr::new(1, 2, 3, 4);
|
|
||||||
let needle_fqdn = FQDN("example.nameservers.com.")?;
|
|
||||||
|
|
||||||
let network = Network::new()?;
|
|
||||||
let mut leaf_ns = NameServer::new(&dns_test::peer(), FQDN::NAMESERVERS, &network)?;
|
|
||||||
leaf_ns.add(Record::a(needle_fqdn.clone(), expected_ipv4_addr));
|
|
||||||
|
|
||||||
let Graph {
|
|
||||||
nameservers: _nameservers,
|
|
||||||
root,
|
|
||||||
trust_anchor,
|
|
||||||
} = Graph::build(
|
|
||||||
leaf_ns,
|
|
||||||
Sign::AndAmend(&|zone, records| {
|
|
||||||
// remove the ZSK DNSKEY record
|
|
||||||
if zone == &FQDN::NAMESERVERS {
|
if zone == &FQDN::NAMESERVERS {
|
||||||
|
// remove the DNSKEY record that contains the ZSK
|
||||||
let mut remove_count = 0;
|
let mut remove_count = 0;
|
||||||
*records = records
|
*records = records
|
||||||
.drain(..)
|
.drain(..)
|
||||||
@ -44,8 +30,119 @@ fn dnskey_missing() -> Result<()> {
|
|||||||
!remove
|
!remove
|
||||||
})
|
})
|
||||||
.collect();
|
.collect();
|
||||||
assert_eq!(1, remove_count);
|
assert_eq!(1, remove_count, "sanity check");
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
#[ignore]
|
||||||
|
#[test]
|
||||||
|
fn rrsigs_missing() -> Result<()> {
|
||||||
|
fixture(
|
||||||
|
ExtendedDnsError::RrsigsMissing,
|
||||||
|
|needle_fqdn, zone, records| {
|
||||||
|
if zone == &FQDN::NAMESERVERS {
|
||||||
|
// remove the RRSIG records that covers the needle record
|
||||||
|
let mut remove_count = 0;
|
||||||
|
*records = records
|
||||||
|
.drain(..)
|
||||||
|
.filter(|record| {
|
||||||
|
let remove = if let Record::RRSIG(rrsig) = record {
|
||||||
|
rrsig.type_covered == RecordType::A && rrsig.fqdn == *needle_fqdn
|
||||||
|
} else {
|
||||||
|
false
|
||||||
|
};
|
||||||
|
|
||||||
|
if remove {
|
||||||
|
remove_count += 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
!remove
|
||||||
|
})
|
||||||
|
.collect();
|
||||||
|
assert_eq!(1, remove_count, "sanity check");
|
||||||
|
}
|
||||||
|
},
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
#[ignore]
|
||||||
|
#[test]
|
||||||
|
fn unsupported_dnskey_algorithm() -> Result<()> {
|
||||||
|
fixture(
|
||||||
|
ExtendedDnsError::UnsupportedDnskeyAlgorithm,
|
||||||
|
|needle_fqdn, zone, records| {
|
||||||
|
if zone == &FQDN::NAMESERVERS {
|
||||||
|
// lie about the algorithm that was used to sign the needle record
|
||||||
|
let mut modified_count = 0;
|
||||||
|
for record in records {
|
||||||
|
if let Record::RRSIG(rrsig) = record {
|
||||||
|
if rrsig.type_covered == RecordType::A && rrsig.fqdn == *needle_fqdn {
|
||||||
|
assert_ne!(1, rrsig.algorithm, "modify the value below");
|
||||||
|
rrsig.algorithm = 1;
|
||||||
|
modified_count += 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
assert_eq!(1, modified_count, "sanity check");
|
||||||
|
}
|
||||||
|
},
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
#[ignore]
|
||||||
|
#[test]
|
||||||
|
fn dnssec_bogus() -> Result<()> {
|
||||||
|
fixture(
|
||||||
|
ExtendedDnsError::DnssecBogus,
|
||||||
|
|needle_fqdn, zone, records| {
|
||||||
|
if zone == &FQDN::NAMESERVERS {
|
||||||
|
// corrupt the RRSIG record that covers the needle record
|
||||||
|
let mut modified_count = 0;
|
||||||
|
for record in records {
|
||||||
|
if let Record::RRSIG(rrsig) = record {
|
||||||
|
if rrsig.type_covered == RecordType::A && rrsig.fqdn == *needle_fqdn {
|
||||||
|
rrsig.signature_expiration = rrsig.signature_inception - 1;
|
||||||
|
modified_count += 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
assert_eq!(1, modified_count, "sanity check");
|
||||||
|
}
|
||||||
|
},
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sets up a minimal, DNSSEC-enabled DNS graph where the leaf zone contains a "needle" A record
|
||||||
|
// that we'll search for
|
||||||
|
//
|
||||||
|
// `amend` can be used to modify zone files *after* they have been signed. it's used to introduce
|
||||||
|
// errors in the signed zone files
|
||||||
|
//
|
||||||
|
// the query for the needle record is expected to fail with the `expected` Extended DNS Error
|
||||||
|
fn fixture(
|
||||||
|
expected: ExtendedDnsError,
|
||||||
|
amend: fn(needle_fqdn: &FQDN, zone: &FQDN, records: &mut Vec<Record>),
|
||||||
|
) -> Result<()> {
|
||||||
|
let subject = dns_test::subject();
|
||||||
|
let supports_ede = subject.supports_ede();
|
||||||
|
|
||||||
|
let expected_ipv4_addr = Ipv4Addr::new(1, 2, 3, 4);
|
||||||
|
let needle_fqdn = FQDN("example.nameservers.com.")?;
|
||||||
|
|
||||||
|
let network = Network::new()?;
|
||||||
|
let mut leaf_ns = NameServer::new(&dns_test::peer(), FQDN::NAMESERVERS, &network)?;
|
||||||
|
leaf_ns.add(Record::a(needle_fqdn.clone(), expected_ipv4_addr));
|
||||||
|
|
||||||
|
let Graph {
|
||||||
|
nameservers: _nameservers,
|
||||||
|
root,
|
||||||
|
trust_anchor,
|
||||||
|
} = Graph::build(
|
||||||
|
leaf_ns,
|
||||||
|
Sign::AndAmend(&|zone, records| {
|
||||||
|
amend(&needle_fqdn, zone, records);
|
||||||
}),
|
}),
|
||||||
)?;
|
)?;
|
||||||
|
|
||||||
@ -67,7 +164,7 @@ fn dnskey_missing() -> Result<()> {
|
|||||||
assert!(output.status.is_servfail());
|
assert!(output.status.is_servfail());
|
||||||
|
|
||||||
if supports_ede {
|
if supports_ede {
|
||||||
assert_eq!(Some(ExtendedDnsError::DnskeyMissing), output.ede);
|
assert_eq!(Some(expected), output.ede);
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
|
@ -255,8 +255,10 @@ impl FromStr for DigOutput {
|
|||||||
|
|
||||||
#[derive(Debug, PartialEq)]
|
#[derive(Debug, PartialEq)]
|
||||||
pub enum ExtendedDnsError {
|
pub enum ExtendedDnsError {
|
||||||
DnssecBogus,
|
|
||||||
DnskeyMissing,
|
DnskeyMissing,
|
||||||
|
DnssecBogus,
|
||||||
|
RrsigsMissing,
|
||||||
|
UnsupportedDnskeyAlgorithm,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl FromStr for ExtendedDnsError {
|
impl FromStr for ExtendedDnsError {
|
||||||
@ -266,8 +268,10 @@ impl FromStr for ExtendedDnsError {
|
|||||||
let code: u16 = input.parse()?;
|
let code: u16 = input.parse()?;
|
||||||
|
|
||||||
let code = match code {
|
let code = match code {
|
||||||
|
1 => Self::UnsupportedDnskeyAlgorithm,
|
||||||
6 => Self::DnssecBogus,
|
6 => Self::DnssecBogus,
|
||||||
9 => Self::DnskeyMissing,
|
9 => Self::DnskeyMissing,
|
||||||
|
10 => Self::RrsigsMissing,
|
||||||
_ => todo!("EDE {code} has not yet been implemented"),
|
_ => todo!("EDE {code} has not yet been implemented"),
|
||||||
};
|
};
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user