From 311af9314dc9cd3db3bfe6a4e212d5842151e9fb Mon Sep 17 00:00:00 2001
From: Miek Gieben <miek@miek.nl>
Date: Wed, 3 Jan 2018 11:11:56 +0000
Subject: plugin/dnssec: implement shotgun from CloudFlare (#1305)

* plugin/dnssec: implement shotgun from CloudFlare

Put a whole bunch of types in the NSEC bitmap and remove the one that's
being asked for.

Add more records for queries to the apex, SOA, DNSKEY, MX.
---
 plugin/dnssec/handler_test.go | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

(limited to 'plugin/dnssec/handler_test.go')

diff --git a/plugin/dnssec/handler_test.go b/plugin/dnssec/handler_test.go
index ba24a45d1..77bf36f32 100644
--- a/plugin/dnssec/handler_test.go
+++ b/plugin/dnssec/handler_test.go
@@ -72,10 +72,30 @@ var dnsTestCases = []test.Case{
 		},
 		Extra: []dns.RR{test.OPT(4096, true)},
 	},
+	{
+		Qname: "wwwww.miek.nl.", Qtype: dns.TypeAAAA, Do: true,
+		Ns: []dns.RR{
+			test.RRSIG("miek.nl.	1800	IN	RRSIG	SOA 13 2 3600 20171220135446 20171212105446 18512 miek.nl. hCRzzjYz6w=="),
+			test.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
+			test.NSEC("wwwww.miek.nl.	1800	IN	NSEC	\\000.wwwww.miek.nl. A HINFO TXT LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF"),
+			test.RRSIG("wwwww.miek.nl.	1800	IN	RRSIG	NSEC 13 3 3600 20171220135446 20171212105446 18512 miek.nl. cVUQWs8xw=="),
+		},
+		Extra: []dns.RR{test.OPT(4096, true)},
+	},
+	{
+		Qname: "miek.nl.", Qtype: dns.TypeHINFO, Do: true,
+		Ns: []dns.RR{
+			test.NSEC("miek.nl.	1800	IN	NSEC	\\000.miek.nl. A NS SOA MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC DNSKEY TLSA HIP OPENPGPKEY SPF"),
+			test.RRSIG("miek.nl.	1800	IN	RRSIG	NSEC 13 2 3600 20171220141741 20171212111741 18512 miek.nl. GuXROL7Uu+UiPcg=="),
+			test.RRSIG("miek.nl.	1800	IN	RRSIG	SOA 13 2 3600 20171220141741 20171212111741 18512 miek.nl. 8bLTReqmuQtw=="),
+			test.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
+		},
+		Extra: []dns.RR{test.OPT(4096, true)},
+	},
 	{
 		Qname: "www.example.org.", Qtype: dns.TypeAAAA, Do: true,
 		Rcode: dns.RcodeServerFailure,
-		// Extra: []dns.RR{test.OPT(4096, true)}, // test.ErrorHandler is a simple handler that does not do EDNS.
+		// Extra: []dns.RR{test.OPT(4096, true)}, // test.ErrorHandler is a simple handler that does not do EDNS on ServerFailure
 	},
 }
 
@@ -131,6 +151,17 @@ func TestLookupDNSKEY(t *testing.T) {
 		}
 
 		test.SortAndCheck(t, resp, tc)
+
+		// If there is an NSEC present in authority section check if the bitmap does not have the qtype set.
+		for _, rr := range resp.Ns {
+			if n, ok := rr.(*dns.NSEC); ok {
+				for i := range n.TypeBitMap {
+					if n.TypeBitMap[i] == tc.Qtype {
+						t.Errorf("bitmap contains qtype: %d", tc.Qtype)
+					}
+				}
+			}
+		}
 	}
 }
 
-- 
cgit v1.2.3