mirror of
https://github.com/NLnetLabs/unbound.git
synced 2025-12-20 23:00:56 -05:00
a616437338
* v1 EDER poc * remove superfluous edns_list_get_option function * create an EDER configurable * Hackathon 114 * Fixes for version -04 * Generated configparser and configlexer are not versioned in master anymore * Remove NOERROR DNS Error Reporting; not part of final RFC. * Use assigned IANA EDNS0 Option Code for Report-Channel. * Fix buffer protection and agent domain validity * Use DNS Error Reporting instead of the eder nickname * Update documentation. * Fix typo. * Bail out early if ede is not present. * Forget previous EDNS options from upstream; this is what was implicitly happening but not deterministacally. * Don't report LDNS_EDE_OTHER and bail early if there is no reporting agent. * Only do DNS error reporting when a client asked for something that went wrong. * Add an error reporting agent in the parent that should be ignored. * review feedback. * fixup for fast reload * Add 'num.dns_error_reports' to stats and test for it. --------- Co-authored-by: TCY16 <tom@nlnetlabs.nl> Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
200 lines
4.1 KiB
Text
200 lines
4.1 KiB
Text
; Test DNS Error Reporting.
|
|
|
|
server:
|
|
module-config: "validator iterator"
|
|
trust-anchor-signaling: no
|
|
target-fetch-policy: "0 0 0 0 0"
|
|
verbosity: 4
|
|
qname-minimisation: no
|
|
minimal-responses: no
|
|
rrset-roundrobin: no
|
|
trust-anchor: "a.domain DS 50602 8 2 FA8EE175C47325F4BD46D8A4083C3EBEB11C977D689069F2B41F1A29B22446B1"
|
|
ede: no # It is not needed for dns-error-reporting; only for clients to receive EDEs
|
|
dns-error-reporting: yes
|
|
do-ip6: no
|
|
|
|
stub-zone:
|
|
name: domain
|
|
stub-addr: 0.0.0.0
|
|
stub-zone:
|
|
name: an.agent
|
|
stub-addr: 0.0.0.2
|
|
CONFIG_END
|
|
|
|
SCENARIO_BEGIN Test DNS Error Reporting
|
|
|
|
; domain
|
|
RANGE_BEGIN 0 100
|
|
ADDRESS 0.0.0.0
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
SECTION AUTHORITY
|
|
a.domain. IN NS ns.a.domain.
|
|
SECTION ADDITIONAL
|
|
ns.a.domain. IN A 0.0.0.1
|
|
HEX_EDNSDATA_BEGIN
|
|
00 12 ; opt-code (Report-Channel)
|
|
00 0A ; opt-len
|
|
02 61 6E 05 61 67 65 6E 74 00 ; an.agent.
|
|
HEX_EDNSDATA_END
|
|
ENTRY_END
|
|
RANGE_END
|
|
|
|
; a.domain
|
|
RANGE_BEGIN 0 9
|
|
ADDRESS 0.0.0.1
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
a.domain. IN DNSKEY
|
|
ENTRY_END
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
SECTION ANSWER
|
|
a.domain. 5 IN A 0.0.0.0
|
|
; No RRSIG to trigger validation error (and EDE)
|
|
SECTION ADDITIONAL
|
|
; No Report-Channel here
|
|
ENTRY_END
|
|
RANGE_END
|
|
|
|
; a.domain
|
|
RANGE_BEGIN 10 100
|
|
ADDRESS 0.0.0.1
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
a.domain. IN DNSKEY
|
|
ENTRY_END
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
SECTION ANSWER
|
|
a.domain. 5 IN A 0.0.0.0
|
|
; No RRSIG to trigger validator error and EDE
|
|
SECTION ADDITIONAL
|
|
HEX_EDNSDATA_BEGIN
|
|
00 12 ; opt-code (Report-Channel)
|
|
00 0A ; opt-len
|
|
02 61 6E 05 61 67 65 6E 74 00 ; an.agent.
|
|
HEX_EDNSDATA_END
|
|
ENTRY_END
|
|
RANGE_END
|
|
|
|
; an.agent
|
|
RANGE_BEGIN 10 20
|
|
ADDRESS 0.0.0.2
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
_er.1.a.domain.9._er.an.agent. IN TXT
|
|
SECTION ANSWER
|
|
_er.1.a.domain.9._er.an.agent. IN TXT "OK"
|
|
ENTRY_END
|
|
RANGE_END
|
|
|
|
; Query
|
|
STEP 0 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
ENTRY_END
|
|
|
|
; Check that validation failed (no DNS error reporting at this state;
|
|
; 'domain' did give an error reporting agent, but the latest upstream
|
|
; 'a.domain' did not)
|
|
STEP 1 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all
|
|
REPLY QR RD RA SERVFAIL
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
ENTRY_END
|
|
|
|
; Wait for the a.domain query to expire (TTL 5)
|
|
STEP 3 TIME_PASSES ELAPSE 6
|
|
|
|
; Query again
|
|
STEP 10 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
ENTRY_END
|
|
|
|
; Check that validation failed
|
|
; (a DNS Error Report query should have been generated)
|
|
STEP 11 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all
|
|
REPLY QR RD RA SERVFAIL
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
ENTRY_END
|
|
|
|
; Check explicitly that the DNS Error Report query is cached.
|
|
STEP 20 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
_er.1.a.domain.9._er.an.agent. IN TXT
|
|
ENTRY_END
|
|
|
|
; At this range there are no configured agents to answer this.
|
|
; If the DNS Error Report query is not answered from the cache the test will
|
|
; fail with pending messages.
|
|
STEP 21 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all
|
|
REPLY RD QR RA NOERROR
|
|
SECTION QUESTION
|
|
_er.1.a.domain.9._er.an.agent. IN TXT
|
|
SECTION ANSWER
|
|
_er.1.a.domain.9._er.an.agent. IN TXT "OK"
|
|
ENTRY_END
|
|
|
|
; Wait for the a.domain query to expire (5 TTL).
|
|
; The DNS Error Report query should still be cached (SOA negative).
|
|
STEP 30 TIME_PASSES ELAPSE 6
|
|
|
|
; Force a DNS Error Report query generation again.
|
|
STEP 31 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
ENTRY_END
|
|
|
|
; Check that validation failed
|
|
STEP 32 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all
|
|
REPLY QR RD RA SERVFAIL
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
ENTRY_END
|
|
|
|
; The same DNS Error Report query will be generated as above.
|
|
; No agent is configured at this range to answer the DNS Error Report query.
|
|
; If the DNS Error Report query is not used from the cache the test will fail
|
|
; with pending messages.
|
|
|
|
SCENARIO_END
|