Add dns_nsec_requiredtypespresent

checks an NSEC rdataset to ensure that both NSEC and RRSIG are present in the type map. These types are required for the NSEC to be valid
2021-11-27 09:12:08 +11:00
parent 571f3af6e8
commit 8ff2c133b5
5 changed files with 98 additions and 1 deletions
--- a/bin/tests/system/synthfromdnssec/ns1/minimal.db.in
+++ b/bin/tests/system/synthfromdnssec/ns1/minimal.db.in
@@ -7,7 +7,11 @@ minimal.		3600	SOA	ns1.minimal. hostmaster.minimal. (
 					3600       ; minimum (1 hour)
 					)
 			3600	NS	ns1.minimal.
-			3600	NSEC	black.minimal. NS SOA RRSIG NSEC DNSKEY
+			3600	NSEC	badtypemap.minimal. NS SOA RRSIG NSEC DNSKEY
+; bad NSEC type map without RRSIG or NSEC
+badtypemap.minimal.	3600	NSEC	black.minimal. A
+badtypemap.minimal.	3600	A	1.2.3.4
+badtypemap.minimal.	3600	AAAA	2002::1
 ; cloudflare black lie
 black.minimal.		3600	NSEC	\000.black.minimal. RRSIG NSEC
 ;
--- a/bin/tests/system/synthfromdnssec/tests.sh
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@@ -67,6 +67,19 @@ check_nosynth_a() (
    return 0
 )

+check_synth_aaaa() (
+    name=$(echo "$1" | sed 's/\./\\./g')
+    grep "^${name}.*[0-9]*.IN.AAAA" ${2} > /dev/null || return 1
+    grep "^${name}.*3600.IN.A" ${2} > /dev/null && return 1
+    return 0
+)
+
+check_nosynth_aaaa() (
+    name=$(echo "$1" | sed 's/\./\\./g')
+    grep "^${name}.*3600.IN.AAAA" ${2} > /dev/null || return 1
+    return 0
+)
+
 check_synth_cname() (
    name=$(echo "$1" | sed 's/\./\\./g')
    grep "^${name}.*[0-9]*.IN.CNAME" ${2} > /dev/null || return 1
@@ -200,6 +213,17 @@ do
    n=$((n+1))
    if [ $ret != 0 ]; then echo_i "failed"; fi
    status=$((status+ret))
+
+    echo_i "prime bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts badtypemap.minimal. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+    grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
 done

 echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
@@ -388,6 +412,27 @@ do
    if [ $ret != 0 ]; then echo_i "failed"; fi
    status=$((status+ret))

+    echo_i "check bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts badtypemap.minimal. @10.53.0.${ns} HINFO > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+    grep 'badtypemap.minimal.*3600.IN.NSEC.black.minimal. A$' dig.out.ns${ns}.test$n > /dev/null || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    echo_i "check bad type map NODATA response with existent data (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts badtypemap.minimal. @10.53.0.${ns} AAAA > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_aaaa badtypemap.minimal. dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
    echo_i "check 'rndc stats' output for 'covering nsec returned' (synth-from-dnssec ${description};) ($n)"
    ret=0
    ${RNDCCMD} 10.53.0.${ns} stats 2>&1 | sed 's/^/ns6 /' | cat_i