colin/hickory-dns
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mirror/dev fork of https://github.com/hickory-dns/hickory-dns
51 Commits 2 Branches 0 Tags 14 MiB
Rust 99.5%
Just 0.3%
Shell 0.2%
e52980a82f
Go to file
Jorge Aparicio e52980a82f test NXDOMAIN scenario
2024-02-09 16:35:29 +01:00
.github/workflows update CI config 2024-02-08 19:28:05 +01:00
packages test NXDOMAIN scenario 2024-02-09 16:35:29 +01:00
.gitignore initial commit 2024-01-29 17:08:18 +01:00
Cargo.lock mv tests into conformance-tests package 2024-02-08 18:28:05 +01:00
Cargo.toml restructure into a workspace 2024-02-08 18:15:41 +01:00
README.md WIP root & tld name server setup 2024-02-01 18:07:00 +01:00

README.md

dnssec-tests

Test infrastructure for DNSSEC conformance tests.

Design goals

  • Test MUST not depend on external services like 1.1.1.1 or 8.8.8.8
    • rationale: it must be possible to run tests locally, without internet access
  • All nodes in the network must not be the subject under test.
    • rationale: test inter-operability with other software like unbound and nsd
  • All test input must be local files or constants
    • rationale: tests are self-contained

Minimally working DNSSEC-enabled network

  • . domain
    • name server: nsd (my.root-server.com)
  • TLD domain (com.)
    • name server: nsd (ns.com)
  • target domain (example.com.)
    • name server: nsd (ns.example.com)
  • recursive resolver: unbound
    • configured to use my.root-server.com as root server
    • configured with a trust anchor: the public key of my.root-server.com

each name server has

  • a zone signing key pair
  • a key signing key pair
  • signed zone files

exploration

Notes:

  • run all containers with --cap-add=NET_RAW --cap-add=NET_ADMIN
  • use docker exec to run tshark on network nodes ( containers ) of interest

nsd for root name server

run: nsd -d

  • /etc/nsd/nsd.conf
remote-control:
  control-enable: no

zone:
  name: .
  zonefile: /etc/nsd/zones/main.zone
  • /etc/nsd/zones/main.zone
$ORIGIN .
$TTL 1800
@       IN      SOA     primary.root-server.com.    admin.root-server.com. (
                        2014080301
                        3600
                        900
                        1209600
                        1800
                        )
@       IN      NS      primary.root-server.com.

; referral
com.    IN      NS      primary.tld-server.com.
primary.tld-server.com. IN A 172.17.0.$TLD_NS_IP_ADDRESS

nsd for the TLD name server

run: nsd -d

  • /etc/nsd/nsd.conf
remote-control:
  control-enable: no

zone:
  name: main
  zonefile: /etc/nsd/zones/main.zone
  • /etc/nsd/zones/main.zone
$ORIGIN com.
$TTL 1800
@       IN      SOA     primary.tld-server.com.    admin.tld-server.com. (
                        2014010100 ; Serial
                        10800      ; Refresh (3 hours)
                        900        ; Retry (15 minutes)
                        604800     ; Expire (1 week)
                        86400      ; Minimum (1 day)
                        )
@       IN      NS      primary.tld-server.com.

unbound

run unbound -d

  • /etc/unbound/unbound.conf

ideally instead of 0.0.0.0, it should only cover the docker0 network interface. or disable docker containers' access to the internet

server:
    verbosity: 4
    use-syslog: no
    interface: 0.0.0.0
    access-control: 172.17.0.0/16 allow
    root-hints: /etc/unbound/root.hints

remote-control:
    control-enable: no
  • /etc/unbound/root.hints. NOTE IP address of docker container
.                        3600000      NS    primary.root-server.com.
primary.root-server.com. 3600000      A     172.17.0.$ROOT_NS_IP_ADDRESS

client

Container is docker/client.Dockerfile, build with: docker build -t dnssec-tests-client -f docker/client.Dockerfile docker, with tshark.

Run the client container with extra capabilities

docker run --rm -it --cap-add=NET_RAW --cap-add=NET_ADMIN dnssec-tests-client /bin/bash

Then run tshark inside the container:

tshark -f 'host 172.17.0.3' -O dns

to filter DNS messages for host 172.17.0.3 (unbound).