From 311af9314dc9cd3db3bfe6a4e212d5842151e9fb Mon Sep 17 00:00:00 2001 From: Miek Gieben Date: Wed, 3 Jan 2018 11:11:56 +0000 Subject: plugin/dnssec: implement shotgun from CloudFlare (#1305) * plugin/dnssec: implement shotgun from CloudFlare Put a whole bunch of types in the NSEC bitmap and remove the one that's being asked for. Add more records for queries to the apex, SOA, DNSKEY, MX. --- plugin/dnssec/handler_test.go | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) (limited to 'plugin/dnssec/handler_test.go') diff --git a/plugin/dnssec/handler_test.go b/plugin/dnssec/handler_test.go index ba24a45d1..77bf36f32 100644 --- a/plugin/dnssec/handler_test.go +++ b/plugin/dnssec/handler_test.go @@ -72,10 +72,30 @@ var dnsTestCases = []test.Case{ }, Extra: []dns.RR{test.OPT(4096, true)}, }, + { + Qname: "wwwww.miek.nl.", Qtype: dns.TypeAAAA, Do: true, + Ns: []dns.RR{ + test.RRSIG("miek.nl. 1800 IN RRSIG SOA 13 2 3600 20171220135446 20171212105446 18512 miek.nl. hCRzzjYz6w=="), + test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"), + test.NSEC("wwwww.miek.nl. 1800 IN NSEC \\000.wwwww.miek.nl. A HINFO TXT LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF"), + test.RRSIG("wwwww.miek.nl. 1800 IN RRSIG NSEC 13 3 3600 20171220135446 20171212105446 18512 miek.nl. cVUQWs8xw=="), + }, + Extra: []dns.RR{test.OPT(4096, true)}, + }, + { + Qname: "miek.nl.", Qtype: dns.TypeHINFO, Do: true, + Ns: []dns.RR{ + test.NSEC("miek.nl. 1800 IN NSEC \\000.miek.nl. A NS SOA MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC DNSKEY TLSA HIP OPENPGPKEY SPF"), + test.RRSIG("miek.nl. 1800 IN RRSIG NSEC 13 2 3600 20171220141741 20171212111741 18512 miek.nl. GuXROL7Uu+UiPcg=="), + test.RRSIG("miek.nl. 1800 IN RRSIG SOA 13 2 3600 20171220141741 20171212111741 18512 miek.nl. 8bLTReqmuQtw=="), + test.SOA("miek.nl. 1800 IN SOA linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"), + }, + Extra: []dns.RR{test.OPT(4096, true)}, + }, { Qname: "www.example.org.", Qtype: dns.TypeAAAA, Do: true, Rcode: dns.RcodeServerFailure, - // Extra: []dns.RR{test.OPT(4096, true)}, // test.ErrorHandler is a simple handler that does not do EDNS. + // Extra: []dns.RR{test.OPT(4096, true)}, // test.ErrorHandler is a simple handler that does not do EDNS on ServerFailure }, } @@ -131,6 +151,17 @@ func TestLookupDNSKEY(t *testing.T) { } test.SortAndCheck(t, resp, tc) + + // If there is an NSEC present in authority section check if the bitmap does not have the qtype set. + for _, rr := range resp.Ns { + if n, ok := rr.(*dns.NSEC); ok { + for i := range n.TypeBitMap { + if n.TypeBitMap[i] == tc.Qtype { + t.Errorf("bitmap contains qtype: %d", tc.Qtype) + } + } + } + } } } -- cgit v1.2.3