From f8ba15e8dd3de2d9029947c5b77fb62435f2240f Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Fri, 21 Oct 2016 08:59:56 +0000 Subject: [PATCH] - Ported tests for local_cname unit test to testbound framework. git-svn-id: file:///svn/unbound/trunk@3902 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 3 + testdata/local_cname.rpl | 444 ++++++++++++++++++++++++++++++++++++++- 2 files changed, 442 insertions(+), 5 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 8a9b4f27d..a15500f9f 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +21 October 2016: Wouter + - Ported tests for local_cname unit test to testbound framework. + 20 October 2016: Wouter - suppress compile warning in lex files. - init lzt variable, for older gcc compiler warnings. diff --git a/testdata/local_cname.rpl b/testdata/local_cname.rpl index 8ca01152b..9f7c4f101 100644 --- a/testdata/local_cname.rpl +++ b/testdata/local_cname.rpl @@ -1,6 +1,68 @@ ; config options server: # put unbound.conf config options here. + + access-control: 127.0.0.1/32 allow_snoop #allow queries with RD bit + + # DNSSEC trust anchor taken from a real world example. Used for + # DNSSEC-signed CNAME target. + trust-anchor: "infoblox.com. 172800 IN DNSKEY 257 3 5 AwEAAerW6xQkJIb5wxm48RoHD/LE8r/GzmdIGOam0lQczIth+I9ctltV dDJXz5BH8j4TOaOH1gBRCXhsPDyPom/eLEkdUuXNuhV6QnWGHOtz1fuY EO+kBqaI79jR0K31OmevR/H/F3C8gi4T6//6G9qsftvcl6m7+V1vI2+c cgxiiOlMrZZb4YAhue1+tRw57f3aVOSNtcrONO/Jffgb9jbDTKRi33oT fDznyPa1lCWMbuybr/LaCU0LP6fG4BII/FDWFi5rQxMHygWfscdYX06c eGUzHqiuNNGL8Jze6johni71T/hJGtLMozkY7qxOLfWBXOu9kr1MBQh5 6hfibOZMZJM=" + # Use a fixed and faked date for DNSSEC validation to avoid run-time + # re-signing test signatures. + val-override-date: "20161001003725" + + define-tag: "cname cname2 nx servfail sec ambiguous" + access-control-tag: 127.0.0.1/32 "cname cname2 nx servfail sec" + + # Basic case: one CNAME whose target exists. + local-zone: example.com static + local-zone-tag: example.com "cname" + access-control-tag: 127.0.0.1/32 "cname" + access-control-tag-action: 127.0.0.1/32 "cname" redirect + access-control-tag-data: 127.0.0.1/32 "cname" "CNAME example.org." + + # Similar to the above, but different original query name. + local-zone: another.example.com static + local-zone-tag: another.example.com "cname2" + access-control-tag: 127.0.0.1/32 "cname2" + access-control-tag-action: 127.0.0.1/32 "cname2" redirect + access-control-tag-data: 127.0.0.1/32 "cname2" "CNAME example.org." + + # CNAME target is expected to be nonexistent. + local-zone: nx.example.com static + local-zone-tag: nx.example.com "nx" + access-control-tag: 127.0.0.1/32 "nx" + access-control-tag-action: 127.0.0.1/32 "nx" redirect + access-control-tag-data: 127.0.0.1/32 "nx" "CNAME nx.example.org." + + # Resolution of this CNAME target will result in SERVFAIL. + local-zone: servfail.example.com static + local-zone-tag: servfail.example.com "servfail" + access-control-tag-action: 127.0.0.1/32 "servfail" redirect + access-control-tag-data: 127.0.0.1/32 "servfail" "CNAME servfail.example.org." + + # CNAME target is supposed to be DNSSEC-signed. + local-zone: sec.example.com static + local-zone-tag: sec.example.com "sec" + access-control-tag-action: 127.0.0.1/32 "sec" redirect + access-control-tag-data: 127.0.0.1/32 "sec" "CNAME www.infoblox.com." + + # Test setup for non-tag based redirect + local-zone: example.net redirect + local-data: "example.net. IN CNAME cname.example.org." + + ### template zone and tag intended to be used for tests with CNAME and + ### other data. + ##local-zone: ambiguous.example.com redirect + ##@LOCALDATA1@ + ##@LOCALDATA2@ + ##local-zone-tag: ambiguous.example.com "ambiguous" + ##access-control-tag-action: 127.0.0.1/32 "ambiguous" redirect + ##@TAGDATA1@ + ##@TAGDATA2@ + + + target-fetch-policy: "0 0 0 0 0" # send the queries to the test server (see the 10.0.10.3 entries below) @@ -17,14 +79,103 @@ RANGE_BEGIN 0 1000 ADDRESS 10.0.10.3 ; put entries here with answers to specific qname, qtype +; infoblox.com ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION -example.com. IN A +infoblox.com. IN DNSKEY +SECTION ANSWER +infoblox.com. 172800 IN DNSKEY 256 3 5 AwEAAbi2VnVHFm5rO2EiawNWhTTRPPzaA+VEdpGOc+CtwIZq86C4Ndbp 0M7XTi0wru0Pgh54oGZ3ty9WllYEnVfoA1rcGwFJmAln7KKAuQP+dlGE yHPJYduAjG/JFA6Qq0zj18AmWgks+qvethASMm3PtihQkNytjmQWjiL6 6h8cQwFP +infoblox.com. 172800 IN DNSKEY 257 3 5 AwEAAerW6xQkJIb5wxm48RoHD/LE8r/GzmdIGOam0lQczIth+I9ctltV dDJXz5BH8j4TOaOH1gBRCXhsPDyPom/eLEkdUuXNuhV6QnWGHOtz1fuY EO+kBqaI79jR0K31OmevR/H/F3C8gi4T6//6G9qsftvcl6m7+V1vI2+c cgxiiOlMrZZb4YAhue1+tRw57f3aVOSNtcrONO/Jffgb9jbDTKRi33oT fDznyPa1lCWMbuybr/LaCU0LP6fG4BII/FDWFi5rQxMHygWfscdYX06c eGUzHqiuNNGL8Jze6johni71T/hJGtLMozkY7qxOLfWBXOu9kr1MBQh5 6hfibOZMZJM= +infoblox.com. 172800 IN RRSIG DNSKEY 5 2 172800 20161004003725 20160930000830 31651 infoblox.com. Ds7LZY2W59fq9cWgqi3W6so1NGFa7JdjO8zlhK3hGu2a2WG1W/rVftom rCf0gdI5q4BZJnq2o0SdLd/U7he1uWz8ATntEETiNs9/8G7myNK17wQu AN/+3gol+qT4DX0CA3Boz7Z+xFQbTwnnJJvGASa/1jPMIYU8DiyNx3Pe SSh9lbyU/4YI0mshn5ZC2HCFChxr+aVJxk4UHjaPfHhWwVu9oM4IbEfn KD9x4ltKjjy0pXMYqVlNs9+tG2nXdwr/6Q4G+yfRBAcW+cWeW5w4igxf xYFq4Y5gkZetGOReoNODZ9YC9WvcxBo+qY/iUN2k+lEFq+oL8+DthAGH uA1krw== +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.infoblox.com. IN A +SECTION ANSWER +www.infoblox.com. 3600 IN A 161.47.10.70 +www.infoblox.com. 3600 IN RRSIG A 5 3 3600 20161003223322 20160929221122 14916 infoblox.com. WbO9ydRAoRTPvdK18atTdLEkkMGoOjuwbcb6vVI0d6Sea3xkcBMNmtst Wdzr+pKEJqO2bfm167X6uhcOHanHZRnirlTnEbuTdsP0HCiIEGQD5iHg UNH2FJSKGNYBmgZKJpuLhDca7oqtkl8EyGA+UEt6Rtq6aW8V0wpkhPHi Pug=' +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +; example.org +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.org. IN A +SECTION ANSWER +example.org. IN A 192.0.2.1 +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +cname.example.org. IN A +SECTION ANSWER +cname.example.org. IN A 192.0.2.2 +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.org. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +example.org. IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600 +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NXDOMAIN +SECTION QUESTION +nx.example.org. IN A +SECTION ANSWER +SECTION AUTHORITY +example.org. IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600 +SECTION ADDITIONAL +ENTRY_END + +; for norec query +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.org. IN NS +SECTION ANSWER +example.org. IN NS ns.example. +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR SERVFAIL +SECTION QUESTION +servfail.example.org. IN A SECTION ANSWER -example.com. IN A 1.2.3.4 SECTION AUTHORITY SECTION ADDITIONAL ENTRY_END @@ -35,23 +186,306 @@ RANGE_END ; QUERY is what the downstream client sends to unbound. ; CHECK_ANSWER contains the response from unbound. + +; Basic case: both exact and subdomain matches result in the same CNAME STEP 10 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION +example.com. IN CNAME +ENTRY_END + +; For type-CNAME queries, the CNAME itself will be returned +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +example.com. IN CNAME +SECTION ANSWER +example.com. IN CNAME example.org. +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +alias.example.com. IN CNAME +ENTRY_END + +; For type-CNAME queries, the CNAME itself will be returned +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +alias.example.com. IN CNAME +SECTION ANSWER +alias.example.com. IN CNAME example.org. +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +; Basic case: both exact and subdomain matches result in the same CNAME +; For other types, a complete CNAME chain will have to be returned +STEP 50 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION example.com. IN A ENTRY_END -STEP 20 CHECK_ANSWER +STEP 60 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA NOERROR +REPLY QR RD RA AA NOERROR SECTION QUESTION example.com. IN A SECTION ANSWER -example.com. IN A 1.2.3.4 +example.com. IN CNAME example.org. +example.org. IN A 192.0.2.1 SECTION AUTHORITY SECTION ADDITIONAL ENTRY_END +STEP 70 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +alias.example.com. IN A +ENTRY_END + +STEP 80 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +alias.example.com. IN A +SECTION ANSWER +alias.example.com. IN CNAME example.org. +example.org. IN A 192.0.2.1 +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +; Basic case: both exact and subdomain matches result in the same CNAME. +; The result is the same for non-recursive query as long as a +; complete chain is cached. +STEP 90 QUERY +ENTRY_BEGIN +REPLY +SECTION QUESTION +example.com. IN A +ENTRY_END + +STEP 100 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RA AA NOERROR +SECTION QUESTION +example.com. IN A +SECTION ANSWER +example.com. IN CNAME example.org. +example.org. IN A 192.0.2.1 +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +STEP 110 QUERY +ENTRY_BEGIN +REPLY +SECTION QUESTION +alias.example.com. IN A +ENTRY_END + +STEP 120 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RA AA NOERROR +SECTION QUESTION +alias.example.com. IN A +SECTION ANSWER +alias.example.com. IN CNAME example.org. +example.org. IN A 192.0.2.1 +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +; Similar to the above, but these are local-zone redirect, instead of +; tag-based policies. +STEP 130 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +example.net. IN CNAME +ENTRY_END + +; For type-CNAME queries, the CNAME itself will be returned +STEP 140 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +example.net. IN CNAME +SECTION ANSWER +example.net. IN CNAME cname.example.org. +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +STEP 150 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +alias.example.net. IN CNAME +ENTRY_END + +; For type-CNAME queries, the CNAME itself will be returned +STEP 160 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +alias.example.net. IN CNAME +SECTION ANSWER +alias.example.net. IN CNAME cname.example.org. +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +STEP 170 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +example.net. IN A +ENTRY_END + +STEP 180 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +example.net. IN A +SECTION ANSWER +example.net. IN CNAME cname.example.org. +cname.example.org. IN A 192.0.2.2 +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +STEP 190 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +alias.example.net. IN A +ENTRY_END + +STEP 200 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +alias.example.net. IN A +SECTION ANSWER +alias.example.net. IN CNAME cname.example.org. +cname.example.org. IN A 192.0.2.2 +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + + +; Relatively minor cases follow + +; query type doesn't exist for the CNAME target. The original query +; succeeds with an "incomplete" chain only containing the CNAME. +STEP 210 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +example.com. IN AAAA +ENTRY_END + +STEP 220 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +example.com. IN AAAA +SECTION ANSWER +example.com. IN CNAME example.org. +SECTION AUTHORITY +example.org. 3600 IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600 +SECTION ADDITIONAL +ENTRY_END + +; The CNAME target name doesn't exist. NXDOMAIN with the CNAME will +; be returned. +STEP 230 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +nx.example.com. IN A +ENTRY_END + +STEP 240 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NXDOMAIN +SECTION QUESTION +nx.example.com. IN A +SECTION ANSWER +nx.example.com. IN CNAME nx.example.org. +SECTION AUTHORITY +example.org. 3600 IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600 +SECTION ADDITIONAL +ENTRY_END + +; Resolution for the CNAME target will result in SERVFAIL. It will +; be forwarded to the original query. The answer section should be +; empty. +STEP 250 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +servfail.example.com. IN A +ENTRY_END + +STEP 260 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +servfail.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +; The CNAME target is DNSSEC-signed and it's validated. If the original +; query enabled the DNSSEC, the RRSIGs will be included in the answer, +; but the response should have the AD bit off +STEP 270 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +sec.example.com. IN A +ENTRY_END + +STEP 280 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD DO RA AA NOERROR +SECTION QUESTION +sec.example.com. IN A +SECTION ANSWER +sec.example.com. IN CNAME www.infoblox.com. +www.infoblox.com. 3600 IN A 161.47.10.70 +www.infoblox.com. 3600 IN RRSIG A 5 3 3600 20161003223322 20160929221122 14916 infoblox.com. WbO9ydRAoRTPvdK18atTdLEkkMGoOjuwbcb6vVI0d6Sea3xkcBMNmtst Wdzr+pKEJqO2bfm167X6uhcOHanHZRnirlTnEbuTdsP0HCiIEGQD5iHg UNH2FJSKGNYBmgZKJpuLhDca7oqtkl8EyGA+UEt6Rtq6aW8V0wpkhPHi Pug=' +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + + SCENARIO_END