Commit d4ffae30 authored by Petr Špaček's avatar Petr Špaček

val_ta_sentinel* tests: extend tests to cover !AD and +CD

Sentinel must not require AD/DO bits set in the queries otherwise it
will not work with stubs and web browsers deployed in 2018.

Tests were extended with +CD cases to make sure forwarding
configurations behave as specified by the draft -14.
parent 31445c99
......@@ -3,9 +3,10 @@ trust-anchor: . IN DS 48409 8 2 3D63A0C25BCE86621DE63636F11B35B908EFE8E9381E0E3E
trust-anchor: example. IN DS 4759 8 2 3384CAE149834F17054DD9150E8C33D3979C4092F5C1B8D35E17A3C36A83810F
val-override-date: 20180601000000
query-minimization: off
harden-glue: off
CONFIG_END
SCENARIO_BEGIN draft-ietf-dnsop-kskroll-sentinel-12 section 2
SCENARIO_BEGIN draft-ietf-dnsop-kskroll-sentinel-14 section 2
RANGE_BEGIN 1 1000
......@@ -241,6 +242,7 @@ ENTRY_END
RANGE_END
; sentinel does not affect qtypes different than A/AAAA
; +AD
STEP 111 QUERY
ENTRY_BEGIN
REPLY RD AD
......@@ -275,16 +277,17 @@ SECTION ANSWER
root-key-sentinel-not-ta-48409.test. IN TXT "it works"
ENTRY_END
; RD only
STEP 131 QUERY
ENTRY_BEGIN
REPLY RD AD
REPLY RD
SECTION QUESTION
root-key-sentinel-is-ta-00000.test. IN TXT
ENTRY_END
STEP 132 CHECK_ANSWER
ENTRY_BEGIN
REPLY QR RD RA AD NOERROR
REPLY QR RD RA NOERROR
MATCH opcode rcode flags question answer
SECTION QUESTION
root-key-sentinel-is-ta-00000.test. IN TXT
......@@ -294,14 +297,14 @@ ENTRY_END
STEP 141 QUERY
ENTRY_BEGIN
REPLY RD AD
REPLY RD
SECTION QUESTION
root-key-sentinel-not-ta-00000.test. IN TXT
ENTRY_END
STEP 142 CHECK_ANSWER
ENTRY_BEGIN
REPLY QR RD RA AD NOERROR
REPLY QR RD RA NOERROR
MATCH opcode rcode flags question answer
SECTION QUESTION
root-key-sentinel-not-ta-00000.test. IN TXT
......@@ -309,8 +312,47 @@ SECTION ANSWER
root-key-sentinel-not-ta-00000.test. IN TXT "it works"
ENTRY_END
; +CD
STEP 143 QUERY
ENTRY_BEGIN
REPLY RD CD
SECTION QUESTION
root-key-sentinel-not-ta-00000.test. IN TXT
ENTRY_END
STEP 144 CHECK_ANSWER
ENTRY_BEGIN
REPLY QR RD RA CD NOERROR
MATCH opcode rcode flags question answer
SECTION QUESTION
root-key-sentinel-not-ta-00000.test. IN TXT
SECTION ANSWER
root-key-sentinel-not-ta-00000.test. IN TXT "it works"
ENTRY_END
; +CD+DO
STEP 145 QUERY
ENTRY_BEGIN
REPLY RD CD DO
SECTION QUESTION
root-key-sentinel-not-ta-00000.test. IN TXT
ENTRY_END
STEP 146 CHECK_ANSWER
ENTRY_BEGIN
REPLY QR RD RA CD DO NOERROR
MATCH opcode rcode flags question answer
SECTION QUESTION
root-key-sentinel-not-ta-00000.test. IN TXT
SECTION ANSWER
root-key-sentinel-not-ta-00000.test. IN TXT "it works"
root-key-sentinel-not-ta-00000.test. IN RRSIG TXT 8 2 1 20180629135151 20180530135151 48409 . SjAFtdUPy+YU4sZnst5GNNYxjzWhBOVq UAfGIUv3uBo5qZW9ePecUJ8GZkNUkdT7 m+cHd0c1ssOBOT7snjwc3Sy3zD22b6/q 3N8VowhDQDPkoDlBvt9raR7eXu273cEB DZTQ9P4Ya2Meu32Aftwa6VMQmXMl+qWX hYqffEt6bJuoohnCVqOZihqgnoT+sRiD l49RgLb+GnZNbFk5EP9LXOrWcdxczKso tY384WCrniRmg4L6NM5DjnBtUVT+Qs6f hWGqQv23fPiLV8lt4i34aIf2jAQkIE6K D4aNLlehct7eqFo1aeaiZumqEd9/GoqS at/RE7Qsh6hiRkfA/J7MLg==
ENTRY_END
; keyid 48409 is trusted
; is-ta hit for keyid 48409 -> NOERROR
; +AD
STEP 211 QUERY
ENTRY_BEGIN
REPLY RD AD
......@@ -328,16 +370,17 @@ SECTION ANSWER
root-key-sentinel-is-ta-48409.test. 1 IN A 192.0.2.1
ENTRY_END
; RD only
STEP 221 QUERY
ENTRY_BEGIN
REPLY RD AD
REPLY RD
SECTION QUESTION
root-key-sentinel-is-ta-48409.test. IN AAAA
ENTRY_END
STEP 222 CHECK_ANSWER
ENTRY_BEGIN
REPLY QR RD RA AD NOERROR
REPLY QR RD RA NOERROR
MATCH opcode rcode flags question answer
SECTION QUESTION
root-key-sentinel-is-ta-48409.test. IN AAAA
......@@ -345,7 +388,9 @@ SECTION ANSWER
root-key-sentinel-is-ta-48409.test. 1 IN AAAA 2001:db8::
ENTRY_END
; not-ta miss for keyid 48409 -> SERVFAIL
; +AD
STEP 311 QUERY
ENTRY_BEGIN
REPLY RD AD
......@@ -361,9 +406,10 @@ SECTION QUESTION
root-key-sentinel-not-ta-48409.test. IN A
ENTRY_END
; query without AD must SERVFAIL as well
STEP 322 QUERY
ENTRY_BEGIN
REPLY RD AD
REPLY RD
SECTION QUESTION
root-key-sentinel-not-ta-48409.test. IN AAAA
ENTRY_END
......@@ -376,8 +422,47 @@ SECTION QUESTION
root-key-sentinel-not-ta-48409.test. IN AAAA
ENTRY_END
; +CD must disable sentinel logic
STEP 323 QUERY
ENTRY_BEGIN
REPLY RD CD
SECTION QUESTION
root-key-sentinel-not-ta-48409.test. IN AAAA
ENTRY_END
STEP 324 CHECK_ANSWER
ENTRY_BEGIN
REPLY QR RD RA CD NOERROR
MATCH opcode rcode flags question answer
SECTION QUESTION
root-key-sentinel-not-ta-48409.test. IN AAAA
SECTION ANSWER
root-key-sentinel-not-ta-48409.test. IN AAAA 2001:db8::
ENTRY_END
; +CD+DO must disable sentinel logic as well
STEP 325 QUERY
ENTRY_BEGIN
REPLY RD CD DO
SECTION QUESTION
root-key-sentinel-not-ta-48409.test. IN AAAA
ENTRY_END
STEP 326 CHECK_ANSWER
ENTRY_BEGIN
REPLY QR RD RA CD DO NOERROR
MATCH opcode rcode flags question answer
SECTION QUESTION
root-key-sentinel-not-ta-48409.test. IN AAAA
SECTION ANSWER
root-key-sentinel-not-ta-48409.test. IN AAAA 2001:db8::
root-key-sentinel-not-ta-48409.test. IN RRSIG AAAA 8 2 1 20180629135151 20180530135151 48409 . UYk1xmrw2A7ojKSTpwuF90WXsXOfNbRI 8pi9tDPLmqr0OMn29AW051vGTyLd7L3o gsaoUEDiY2vYyvyZI3kPL9fSRDYgOIk7 Cq3hp7k6wMM3IXS6iIlYnjtvUFGDaE69 EpUjwII22lSWaqOo0dCFnacJYWDfShdZ cv7yssWG9nZpki6aiBAjhYXY8tdMnpDJ zq9O3zXPQR8xtuFW4S0aVdrHuSPRq935 DWXThocHxOza6OQp/ZkbemkoqAYjTlu0 tyITwZsTknxgK1mtM+ArRmhSeykqVs3m mAGIWMN3qIW8SXKVRHI9PPjka0j6+KK+ bfmeck0bI2Wu1f3Ccnk+nQ==
ENTRY_END
; keyid 0x0000 is not trusted
; is-ta miss for keyid 0x0000 -> SERVFAIL
; +AD
STEP 411 QUERY
ENTRY_BEGIN
REPLY RD AD
......@@ -400,7 +485,7 @@ SECTION QUESTION
root-key-sentinel-is-ta-00000.test. IN AAAA
ENTRY_END
STEP 422 CHECK_ANSWER
STEP 423 CHECK_ANSWER
ENTRY_BEGIN
REPLY QR RD RA SERVFAIL
MATCH opcode rcode flags question answer
......@@ -408,6 +493,25 @@ SECTION QUESTION
root-key-sentinel-is-ta-00000.test. IN AAAA
ENTRY_END
; +CD must disable sentinel logic
STEP 423 QUERY
ENTRY_BEGIN
REPLY RD CD
SECTION QUESTION
root-key-sentinel-is-ta-00000.test. IN AAAA
ENTRY_END
STEP 424 CHECK_ANSWER
ENTRY_BEGIN
REPLY QR RD RA CD NOERROR
MATCH opcode rcode flags question answer
SECTION QUESTION
root-key-sentinel-is-ta-00000.test. IN AAAA
SECTION ANSWER
root-key-sentinel-is-ta-00000.test. IN AAAA 2001:db8::
ENTRY_END
; not-ta hit for keyid 0x0000 -> NOERROR
STEP 511 QUERY
ENTRY_BEGIN
......@@ -443,6 +547,7 @@ SECTION ANSWER
root-key-sentinel-not-ta-00000.test. IN AAAA 2001:db8::
ENTRY_END
; TA for non-root domains are interpreted correctly
; not-ta ignores existing non-root TA keyid 04759 -> NOERROR
STEP 611 QUERY
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment