plugin/dnssec: on delegation, sign DS or NSEC of no DS. (#5899)

* When returning NS for delegation point, we sign any DS Record or if not found we generate a NSEC proving absence of DS. This follow behaviour describe in rfc4035 (Section 3.1.4) * DS request at apex behave as before. * Fix edge case of requesting NSEC which prove that NSEC does not exist. Signed-off-by: Jeremiejig <me@jeremiejig.fr>
author: jeremiejig <me@jeremiejig.fr> 2023-04-22 22:32:01 +0200
committer: GitHub <noreply@github.com> 2023-04-22 22:32:01 +0200
commit: 13e66918e3f1221a0da8f562bdafbec43c3e8f24 (patch)
tree: 52baddd90d177c8973072865386890d24ef6cf27 /plugin/dnssec/handler_test.go
parent: 0862dd1cb5609bf2d55c566a010d42568178b9ae (diff)
download: coredns-13e66918e3f1221a0da8f562bdafbec43c3e8f24.tar.gz
coredns-13e66918e3f1221a0da8f562bdafbec43c3e8f24.tar.zst
coredns-13e66918e3f1221a0da8f562bdafbec43c3e8f24.zip
1 files changed, 72 insertions, 1 deletions
diff --git a/plugin/dnssec/handler_test.go b/plugin/dnssec/handler_test.go
index a1e24b7bb..e82e546d3 100644
--- a/plugin/dnssec/handler_test.go
+++ b/plugin/dnssec/handler_test.go
@@ -38,6 +38,73 @@ var dnsTestCases = []test.Case{
 		},
 	},
 	{
+		Qname: "miek.nl.", Qtype: dns.TypeNS, Do: true,
+		Answer: []dns.RR{
+			test.NS("miek.nl.	1800	IN      NS      linode.atoom.net."),
+			test.RRSIG("miek.nl.	1800	IN	RRSIG	NS 13 2 1800 20220101121212 20220201121212 18512 miek.nl. RandomNotChecked"),
+		},
+	},
+	{
+		Qname: "deleg.miek.nl.", Qtype: dns.TypeNS, Do: true,
+		Ns: []dns.RR{
+			test.DS("deleg.miek.nl.	1800	IN      DS      18512 13 2 D4E806322598BC97A003EF1ACDFF352EEFF7B42DBB0D41B8224714C36AEF08D9"),
+			test.NS("deleg.miek.nl.	1800	IN      NS      ns01.deleg.miek.nl."),
+			test.RRSIG("deleg.miek.nl.	1800	IN	RRSIG	DS 13 3 1800 20220101121212 20220201121212 18512 miek.nl. RandomNotChecked"),
+		},
+	},
+	{
+		Qname: "unsigned.miek.nl.", Qtype: dns.TypeNS, Do: true,
+		Ns: []dns.RR{
+			test.NS("unsigned.miek.nl.	1800	IN      NS      ns01.deleg.miek.nl."),
+			test.NSEC("unsigned.miek.nl.	1800	IN	NSEC	unsigned\\000.miek.nl. NS RRSIG NSEC"),
+			test.RRSIG("unsigned.miek.nl.	1800	IN	RRSIG	NSEC 13 3 1800 20220101121212 20220201121212 18512 miek.nl. RandomNotChecked"),
+		},
+	},
+	{ // DS should not come from dnssec plugin
+		Qname: "deleg.miek.nl.", Qtype: dns.TypeDS,
+		Answer: []dns.RR{
+			test.DS("deleg.miek.nl.	1800	IN      DS      18512 13 2 D4E806322598BC97A003EF1ACDFF352EEFF7B42DBB0D41B8224714C36AEF08D9"),
+		},
+		Ns: []dns.RR{
+			test.NS("miek.nl.	1800	IN	NS	linode.atoom.net."),
+		},
+	},
+	{
+		Qname: "unsigned.miek.nl.", Qtype: dns.TypeDS,
+		Ns: []dns.RR{
+			test.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
+		},
+	},
+	{
+		Qname: "miek.nl.", Qtype: dns.TypeDS, Do: true,
+		Ns: []dns.RR{
+			test.NSEC("miek.nl.	1800	IN	NSEC	\\000.miek.nl. A HINFO NS SOA MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC DNSKEY TLSA HIP OPENPGPKEY SPF"),
+			test.RRSIG("miek.nl.	1800	IN	RRSIG	NSEC 13 2 1800 20220101121212 20220201121212 18512 miek.nl. RandomNotChecked"),
+			test.RRSIG("miek.nl.	1800	IN	RRSIG	SOA 13 2 3600 20171220141741 20171212111741 18512 miek.nl. 8bLTReqmuQtw=="),
+			test.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
+		},
+	},
+	{
+		Qname: "deleg.miek.nl.", Qtype: dns.TypeDS, Do: true,
+		Answer: []dns.RR{
+			test.DS("deleg.miek.nl.	1800	IN      DS      18512 13 2 D4E806322598BC97A003EF1ACDFF352EEFF7B42DBB0D41B8224714C36AEF08D9"),
+			test.RRSIG("deleg.miek.nl.	1800	IN	RRSIG	DS 13 3 1800 20220101121212 20220201121212 18512 miek.nl. RandomNotChecked"),
+		},
+		Ns: []dns.RR{
+			test.NS("miek.nl.	1800	IN	NS	linode.atoom.net."),
+			test.RRSIG("miek.nl.	1800	IN	RRSIG	NS 13 2 3600 20161217114912 20161209084912 18512 miek.nl. ad9gA8VWgF1H8ze9/0Rk2Q=="),
+		},
+	},
+	{
+		Qname: "unsigned.miek.nl.", Qtype: dns.TypeDS, Do: true,
+		Ns: []dns.RR{
+			test.RRSIG("miek.nl.	1800	IN	RRSIG	SOA 13 2 3600 20171220141741 20171212111741 18512 miek.nl. 8bLTReqmuQtw=="),
+			test.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
+			test.NSEC("unsigned.miek.nl.	1800	IN	NSEC	\\000.unsigned.miek.nl. NS RRSIG NSEC"),
+			test.RRSIG("unsigned.miek.nl.	1800	IN	RRSIG	NSEC 13 3 1800 20220101121212 20220201121212 18512 miek.nl. RandomNotChecked"),
+		},
+	},
+	{
 		Qname: "miek.nl.", Qtype: dns.TypeMX,
 		Answer: []dns.RR{
 			test.MX("miek.nl.	1800	IN	MX	1 aspmx.l.google.com."),
@@ -179,4 +246,8 @@ $ORIGIN miek.nl.
 
 a               IN      A       139.162.196.78
                 IN      AAAA    2a01:7e00::f03c:91ff:fef1:6735
-www             IN      CNAME   a`
+www             IN      CNAME   a
+deleg			IN		NS		ns01.deleg
+				IN		DS		18512 13 2 D4E806322598BC97A003EF1ACDFF352EEFF7B42DBB0D41B8224714C36AEF08D9
+unsigned		IN		NS		ns01.deleg
+`
author	jeremiejig <me@jeremiejig.fr>	2023-04-22 22:32:01 +0200
committer	GitHub <noreply@github.com>	2023-04-22 22:32:01 +0200
commit	13e66918e3f1221a0da8f562bdafbec43c3e8f24 (patch)
tree	52baddd90d177c8973072865386890d24ef6cf27 /plugin/dnssec/handler_test.go
parent	0862dd1cb5609bf2d55c566a010d42568178b9ae (diff)
download	coredns-13e66918e3f1221a0da8f562bdafbec43c3e8f24.tar.gz coredns-13e66918e3f1221a0da8f562bdafbec43c3e8f24.tar.zst coredns-13e66918e3f1221a0da8f562bdafbec43c3e8f24.zip