diff options
| author |  Miek Gieben <miek@miek.nl>
| 2018-01-18 10:39:22 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2018-01-18 10:39:22 +0000 |
| commit | 318bab77956a8aed04dce8d7a40823bb802282da (patch) | |
| tree | 57ec91004e6d95d8136cd7c690bf06243c04d23f /plugin/dnssec/cache_test.go | |
| parent | dd9fc8962c7f51b358c8c127e3efaece559d81f8 (diff) | |
| download | coredns-318bab77956a8aed04dce8d7a40823bb802282da.tar.gz coredns-318bab77956a8aed04dce8d7a40823bb802282da.tar.zst coredns-318bab77956a8aed04dce8d7a40823bb802282da.zip | |
plugin/dnssec: check validityperiod of RRSIGs (#1385)
* plugin/dnssec: check validityperiod of RRSIGs
Somehow we missed implementing this. If a sig a retrieved from the
cache, but not valid anymore, regenerate it instead of server invalid
signatures.
Fixes #1378
* drop from cache after 3/4 validity
* six days means 6 days
Diffstat (limited to 'plugin/dnssec/cache_test.go')
| -rw-r--r-- | plugin/dnssec/cache_test.go | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/plugin/dnssec/cache_test.go b/plugin/dnssec/cache_test.go index ccf588d8e..c3cdb0d6e 100644 --- a/plugin/dnssec/cache_test.go +++ b/plugin/dnssec/cache_test.go @@ -32,3 +32,51 @@ func TestCacheSet(t *testing.T) { t.Errorf("signature was not added to the cache") } } + +func TestCacheNotValidExpired(t *testing.T) { + fPriv, rmPriv, _ := test.TempFile(".", privKey) + fPub, rmPub, _ := test.TempFile(".", pubKey) + defer rmPriv() + defer rmPub() + + dnskey, err := ParseKeyFile(fPub, fPriv) + if err != nil { + t.Fatalf("failed to parse key: %v\n", err) + } + + c := cache.New(defaultCap) + m := testMsg() + state := request.Request{Req: m, Zone: "miek.nl."} + k := hash(m.Answer) // calculate *before* we add the sig + d := New([]string{"miek.nl."}, []*DNSKEY{dnskey}, nil, c) + d.Sign(state, time.Now().UTC().AddDate(0, 0, -9)) + + _, ok := d.get(k) + if ok { + t.Errorf("signature was added to the cache even though not valid") + } +} + +func TestCacheNotValidYet(t *testing.T) { + fPriv, rmPriv, _ := test.TempFile(".", privKey) + fPub, rmPub, _ := test.TempFile(".", pubKey) + defer rmPriv() + defer rmPub() + + dnskey, err := ParseKeyFile(fPub, fPriv) + if err != nil { + t.Fatalf("failed to parse key: %v\n", err) + } + + c := cache.New(defaultCap) + m := testMsg() + state := request.Request{Req: m, Zone: "miek.nl."} + k := hash(m.Answer) // calculate *before* we add the sig + d := New([]string{"miek.nl."}, []*DNSKEY{dnskey}, nil, c) + d.Sign(state, time.Now().UTC().AddDate(0, 0, +9)) + + _, ok := d.get(k) + if ok { + t.Errorf("signature was added to the cache even though not valid yet") + } +} |