Commit 0cb5b2e7 authored by Jan Kadlec's avatar Jan Kadlec

Merge branch 'nsec_no_prove_wildcards_below_dp' into 'master'

Nsec No Prove Wildcards Below Dp
parents 752a71c3 a4b5df22
......@@ -594,8 +594,9 @@ static int solve_authority_dnssec(int state, knot_pkt_t *pkt, struct query_data
/* RFC4035 3.1.3 Prove visited wildcards.
* Wildcard expansion applies for Name Error, Wildcard Answer and
* No Data proofs if at one point the search expanded a wildcard node. */
if (ret == KNOT_EOK) {
* No Data proofs if at one point the search expanded a wildcard node.
* \note Do not attempt to prove non-authoritative data. */
if (ret == KNOT_EOK && state != DELEG) {
ret = nsec_prove_wildcards(pkt, qdata);
}
......
......@@ -10,6 +10,7 @@ ns2.b.example. 3600 IN A 192.0.2.8
a.example. 3600 IN NS ns1.a.example.
a.example. 3600 IN NS ns2.a.example.
a.example. 3600 IN DS 57855 5 1 B6DCD485719ADCA18E5F3D48A2331627FDD3636B
*.a.example. 3600 IN A 192.0.2.11
ai.example. 3600 IN A 192.0.2.9
ai.example. 3600 IN HINFO "KLH-10" "ITS"
ai.example. 3600 IN AAAA 2001:db8::f00:baa9
......
......@@ -66,6 +66,16 @@ resp = knot.dig("a.to-nxdomain.example", "A", dnssec=True)
resp.check(rcode="NXDOMAIN", flags="QR AA", eflags="DO")
resp.cmp(bind)
# Wildcard Expansion below delegation point
resp = knot.dig("a.a.example", "A", dnssec=True)
resp.check(rcode="NOERROR", flags="QR", eflags="DO")
resp.cmp(bind)
# Wildcard Expansion below delegation point (nodata)
resp = knot.dig("a.a.example", "AAAA", dnssec=True)
resp.check(rcode="NOERROR", flags="QR", eflags="DO")
resp.cmp(bind)
# B9. Direct wildcard query (positive)
resp = knot.dig("*.w.example", "MX", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA", eflags="DO")
......@@ -76,6 +86,16 @@ resp = knot.dig("*.w.example", "AAAA", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA", eflags="DO")
resp.cmp(bind)
# Direct wildcard query below delegation point (positive)
resp = knot.dig("*.a.example", "A", dnssec=True)
resp.check(rcode="NOERROR", flags="QR", eflags="DO")
resp.cmp(bind)
# Direct wildcard query below delegation point (no data)
resp = knot.dig("*.a.example", "AAAA", dnssec=True)
resp.check(rcode="NOERROR", flags="QR", eflags="DO")
resp.cmp(bind)
# B11. DS Child Zone No Data Error.
resp = knot.dig("example", "DS", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA", eflags="DO")
......
......@@ -56,7 +56,7 @@ resp = knot.dig("a.to-apex.example", "SOA", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA", eflags="DO")
resp.cmp(bind)
# Wildcard Expansion to apex (NODATA)
# Wildcard Expansion to apex (no data)
resp = knot.dig("a.to-apex.example", "TXT", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA", eflags="DO")
resp.cmp(bind)
......@@ -66,6 +66,16 @@ resp = knot.dig("a.to-nxdomain.example", "A", bufsize=1600, dnssec=True)
resp.check(rcode="NXDOMAIN", flags="QR AA", eflags="DO")
resp.cmp(bind)
# Wildcard Expansion below delegation point
resp = knot.dig("a.a.example", "A", dnssec=True)
resp.check(rcode="NOERROR", flags="QR", eflags="DO")
resp.cmp(bind)
# Wildcard Expansion below delegation point (no data)
resp = knot.dig("a.a.example", "AAAA", dnssec=True)
resp.check(rcode="NOERROR", flags="QR", eflags="DO")
resp.cmp(bind)
# B9. Direct wildcard query (positive)
resp = knot.dig("*.w.example", "MX", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA", eflags="DO")
......@@ -76,6 +86,16 @@ resp = knot.dig("*.w.example", "AAAA", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA", eflags="DO")
resp.cmp(bind)
# Direct wildcard query below delegation point (positive)
resp = knot.dig("*.a.example", "A", dnssec=True)
resp.check(rcode="NOERROR", flags="QR", eflags="DO")
resp.cmp(bind)
# Direct wildcard query below delegation point (no data)
resp = knot.dig("*.a.example", "AAAA", dnssec=True)
resp.check(rcode="NOERROR", flags="QR", eflags="DO")
resp.cmp(bind)
# B11. DS Child Zone No Data Error.
resp = knot.dig("example", "DS", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA", eflags="DO")
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment