mirror/dev fork of https://github.com/hickory-dns/hickory-dns
|
||
---|---|---|
.github/workflows | ||
docker | ||
src | ||
.gitignore | ||
Cargo.lock | ||
Cargo.toml | ||
README.md |
dnssec-tests
Test infrastructure for DNSSEC conformance tests.
Design goals
- Test MUST not depend on external services like
1.1.1.1
or8.8.8.8
- rationale: it must be possible to run tests locally, without internet access
- All nodes in the network must not be the subject under test.
- rationale: test inter-operability with other software like
unbound
andnsd
- rationale: test inter-operability with other software like
- All test input must be local files or constants
- rationale: tests are self-contained
Minimally working DNSSEC-enabled network
.
domain- name server:
nsd
(my.root-server.com
)
- name server:
- TLD domain (
com.
)- name server:
nsd
(ns.com
)
- name server:
- target domain (
example.com.
)- name server:
nsd
(ns.example.com
)
- name server:
- recursive resolver:
unbound
- configured to use
my.root-server.com
as root server - configured with a trust anchor: the public key of
my.root-server.com
- configured to use
each name server has
- a zone signing key pair
- a key signing key pair
- signed zone files
exploration
Notes:
- run all containers with
--cap-add=NET_RAW --cap-add=NET_ADMIN
- use
docker exec
to runtshark
on network nodes ( containers ) of interest
nsd
for root name server
run: nsd -d
/etc/nsd/nsd.conf
remote-control:
control-enable: no
zone:
name: .
zonefile: /etc/nsd/zones/main.zone
/etc/nsd/zones/main.zone
$ORIGIN .
$TTL 1800
@ IN SOA primary.root-server.com. admin.root-server.com. (
2014080301
3600
900
1209600
1800
)
@ IN NS primary.root-server.com.
; referral
com. IN NS primary.tld-server.com.
primary.tld-server.com. IN A 172.17.0.$TLD_NS_IP_ADDRESS
nsd
for the TLD name server
run: nsd -d
/etc/nsd/nsd.conf
remote-control:
control-enable: no
zone:
name: main
zonefile: /etc/nsd/zones/main.zone
/etc/nsd/zones/main.zone
$ORIGIN com.
$TTL 1800
@ IN SOA primary.tld-server.com. admin.tld-server.com. (
2014010100 ; Serial
10800 ; Refresh (3 hours)
900 ; Retry (15 minutes)
604800 ; Expire (1 week)
86400 ; Minimum (1 day)
)
@ IN NS primary.tld-server.com.
unbound
run unbound -d
/etc/unbound/unbound.conf
ideally instead of 0.0.0.0
, it should only cover the docker0
network interface. or disable docker containers' access to the internet
server:
verbosity: 4
use-syslog: no
interface: 0.0.0.0
access-control: 172.17.0.0/16 allow
root-hints: /etc/unbound/root.hints
remote-control:
control-enable: no
/etc/unbound/root.hints
. NOTE IP address of docker container
. 3600000 NS primary.root-server.com.
primary.root-server.com. 3600000 A 172.17.0.$ROOT_NS_IP_ADDRESS
client
Container is docker/client.Dockerfile
, build with: docker build -t dnssec-tests-client -f docker/client.Dockerfile docker
, with tshark
.
Run the client container with extra capabilities
docker run --rm -it --cap-add=NET_RAW --cap-add=NET_ADMIN dnssec-tests-client /bin/bash
Then run tshark
inside the container:
tshark -f 'host 172.17.0.3' -O dns
to filter DNS messages for host 172.17.0.3
(unbound
).