Commit 09a9ad2b authored by Daniel Salzman's avatar Daniel Salzman

Merge branch 'nsec3-null' into 'master'

Additional nsec null checks

See merge request !283
parents f161183f 246a0310
......@@ -702,11 +702,17 @@ static int ns_put_nsec_nsec3_nodata(const zone_node_t *node,
int nsec_prove_wildcards(knot_pkt_t *pkt, struct query_data *qdata)
{
dbg_ns("%s(%p, %p)\n", __func__, pkt, qdata);
if (qdata->zone->contents == NULL) {
return KNOT_EINVAL;
}
int ret = KNOT_EOK;
struct wildcard_hit *item = NULL;
WALK_LIST(item, qdata->wildcards) {
if (item->node == NULL) {
return KNOT_EINVAL;
}
ret = ns_put_nsec_nsec3_wildcard_answer(
item->node,
item->node->parent,
......@@ -724,6 +730,10 @@ int nsec_prove_wildcards(knot_pkt_t *pkt, struct query_data *qdata)
int nsec_prove_nodata(knot_pkt_t *pkt, struct query_data *qdata)
{
dbg_ns("%s(%p, %p)\n", __func__, pkt, qdata);
if (qdata->node == NULL || qdata->encloser == NULL ||
qdata->zone->contents == NULL) {
return KNOT_EINVAL;
}
return ns_put_nsec_nsec3_nodata(qdata->node, qdata->encloser,
qdata->previous, qdata->zone->contents,
......@@ -733,6 +743,9 @@ int nsec_prove_nodata(knot_pkt_t *pkt, struct query_data *qdata)
int nsec_prove_nxdomain(knot_pkt_t *pkt, struct query_data *qdata)
{
dbg_ns("%s(%p, %p)\n", __func__, pkt, qdata);
if (qdata->encloser == NULL || qdata->zone->contents == NULL) {
return KNOT_EINVAL;
}
return ns_put_nsec_nsec3_nxdomain(qdata->zone->contents, qdata->previous,
qdata->encloser, qdata->name, qdata,
......@@ -742,6 +755,10 @@ int nsec_prove_nxdomain(knot_pkt_t *pkt, struct query_data *qdata)
int nsec_prove_dp_security(knot_pkt_t *pkt, struct query_data *qdata)
{
dbg_ns("%s(%p, %p)\n", __func__, pkt, qdata);
if (qdata->node == NULL || qdata->encloser == NULL ||
qdata->zone->contents == NULL) {
return KNOT_EINVAL;
}
/* Add DS record if present. */
knot_rrset_t rrset = node_rrset(qdata->node, KNOT_RRTYPE_DS);
......
......@@ -18,6 +18,12 @@ zone = t.zone("forward.", storage=".") + \
t.zone("1.6.b.0.0.0.0.0.0.2.6.2.ip6.arpa.", storage=".")
t.link(zone, knot)
# Enable DNSSEC
knot.dnssec_enable = True
for z in zone:
knot.gen_key(z, ksk=True, alg="RSASHA256")
knot.gen_key(z, alg="RSASHA256")
# Configure 'synth_record' modules for auto forward/reverse zones
knot.add_query_module(zone[FWD], "synth_record", "forward dynamic4- 900 192.168.1.0/25")
knot.add_query_module(zone[FWD], "synth_record", "forward dynamic6- 900 2620:0:b61::/52")
......@@ -32,26 +38,26 @@ static_map = [ ("192.168.1.42", "42." + zone[REV4].name, "static4-a.forward."),
# Check static reverse records
for (_, reverse, forward) in static_map:
resp = knot.dig(reverse, "PTR")
resp = knot.dig(reverse, "PTR", dnssec=True)
resp.check(forward, rcode="NOERROR", flags="QR AA")
# Check static forward records
for (addr, reverse, forward) in static_map:
rrtype = "AAAA" if ":" in addr else "A"
resp = knot.dig(forward, rrtype)
resp = knot.dig(forward, rrtype, dnssec=True)
resp.check(addr, rcode="NOERROR", flags="QR AA")
# Check positive dynamic reverse records
dynamic_map = [ ("192.168.1.1", "1." + zone[REV4].name, "dynamic4-192-168-1-1." + zone[FWD].name),
("2620:0:b61::1", "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0." + zone[REV6].name, "dynamic6-2620-0000-0b61-0000-0000-0000-0000-0001." + zone[FWD].name) ]
for (_, reverse, forward) in dynamic_map:
resp = knot.dig(reverse, "PTR")
resp = knot.dig(reverse, "PTR", dnssec=True)
resp.check(forward, rcode="NOERROR", flags="QR AA")
# Check positive dynamic forward records
for (addr, reverse, forward) in dynamic_map:
rrtype = "AAAA" if ":" in addr else "A"
resp = knot.dig(forward, rrtype)
resp = knot.dig(forward, rrtype, dnssec=True)
resp.check(addr, rcode="NOERROR", flags="QR AA")
# Check NODATA answer for all records
......@@ -61,14 +67,20 @@ for (addr, reverse, forward) in dynamic_map:
resp = knot.dig(forward, "TXT")
resp.check(nordata=addr, rcode="NOERROR", flags="QR AA")
# Check for SERVFAIL with DNSSEC - no way to prove
resp = knot.dig(reverse, "TXT", dnssec=True)
resp.check(nordata=forward, rcode="SERVFAIL")
resp = knot.dig(forward, "TXT", dnssec=True)
resp.check(nordata=addr, rcode="SERVFAIL")
# Check "out of subnet range" query response
nxdomain_map = [ ("192.168.1.128", "128." + zone[REV4].name, "dynamic4-192-168-1-128." + zone[FWD].name),
("2620:0:b61:1000::", "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1." + zone[REV6].name, "dynamic6-2620-0000-0b61-1000-0000-0000-0000-0000." + zone[FWD].name) ]
for (addr, reverse, forward) in nxdomain_map:
rrtype = "AAAA" if ":" in addr else "A"
resp = knot.dig(reverse, "PTR")
resp = knot.dig(reverse, "PTR", dnssec=True)
resp.check(rcode="NXDOMAIN", flags="QR AA")
resp = knot.dig(forward, rrtype)
resp = knot.dig(forward, rrtype, dnssec=True)
resp.check(rcode="NXDOMAIN", flags="QR AA")
# Check alias leading to synthetic name
......@@ -76,12 +88,12 @@ alias_map = [ ("192.168.1.1", None, "cname4." + zone[FWD].name),
("2620:0:b61::1", None, "cname6." + zone[FWD].name) ]
for (addr, _, forward) in alias_map:
rrtype = "AAAA" if ":" in addr else "A"
resp = knot.dig(forward, rrtype)
resp = knot.dig(forward, rrtype, dnssec=True)
resp.check(addr, rcode="NOERROR", flags="QR AA")
# Check ANY type question
for (addr, reverse, forward) in dynamic_map:
resp = knot.dig(forward, "ANY")
resp = knot.dig(forward, "ANY", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA")
t.end()
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment