mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 14:47:09 +00:00
namerror nsec3 proof works.
git-svn-id: file:///svn/unbound/trunk@616 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards
parent
c7d15770c1
commit
6510d8f20a
@ -1,5 +1,6 @@
|
||||
17 September 2007: Wouter
|
||||
- NSEC3 hash cache unit test.
|
||||
- validator nsec3 nameerror test.
|
||||
|
||||
14 September 2007: Wouter
|
||||
- nsec3 nodata proof, nods proof, wildcard proof.
|
||||
|
||||
@ -179,6 +179,7 @@ pending_find_match(struct replay_runtime* runtime, struct entry** entry,
|
||||
p->start_step, p->end_step, (*entry)->lineno);
|
||||
if(p->addrlen != 0)
|
||||
log_addr("matched ip", &p->addr, p->addrlen);
|
||||
log_pkt("matched pkt: ", (*entry)->reply_list->reply);
|
||||
return 1;
|
||||
}
|
||||
p = p->next_range;
|
||||
|
||||
@ -184,6 +184,8 @@ static void replyline(const char* line, ldns_pkt *reply)
|
||||
ldns_pkt_set_ra(reply, true);
|
||||
} else if(str_keyword(&parse, "AD")) {
|
||||
ldns_pkt_set_ad(reply, true);
|
||||
} else if(str_keyword(&parse, "DO")) {
|
||||
ldns_pkt_set_edns_do(reply, true);
|
||||
} else {
|
||||
error("could not parse REPLY: '%s'", parse);
|
||||
}
|
||||
@ -200,6 +202,8 @@ static void adjustline(const char* line, struct entry* e,
|
||||
return;
|
||||
if(str_keyword(&parse, "copy_id")) {
|
||||
e->copy_id = true;
|
||||
} else if(str_keyword(&parse, "copy_query")) {
|
||||
e->copy_query = true;
|
||||
} else if(str_keyword(&parse, "sleep=")) {
|
||||
e->sleeptime = (unsigned int) strtol(parse, (char**)&parse, 10);
|
||||
while(isspace(*parse))
|
||||
@ -230,6 +234,7 @@ static struct entry* new_entry()
|
||||
e->match_transport = transport_any;
|
||||
e->reply_list = NULL;
|
||||
e->copy_id = false;
|
||||
e->copy_query = false;
|
||||
e->sleeptime = 0;
|
||||
e->next = NULL;
|
||||
return e;
|
||||
@ -692,6 +697,12 @@ adjust_packet(struct entry* match, ldns_pkt* answer_pkt, ldns_pkt* query_pkt)
|
||||
/* copy & adjust packet */
|
||||
if(match->copy_id)
|
||||
ldns_pkt_set_id(answer_pkt, ldns_pkt_id(query_pkt));
|
||||
if(match->copy_query) {
|
||||
ldns_rr_list* list = ldns_pkt_get_section_clone(query_pkt,
|
||||
LDNS_SECTION_QUESTION);
|
||||
ldns_rr_list_deep_free(ldns_pkt_question(answer_pkt));
|
||||
ldns_pkt_set_question(answer_pkt, list);
|
||||
}
|
||||
if(match->sleeptime > 0) {
|
||||
verbose(3, "sleeping for %d seconds\n", match->sleeptime);
|
||||
sleep(match->sleeptime);
|
||||
|
||||
@ -54,11 +54,13 @@
|
||||
(opcode) QUERY IQUERY STATUS NOTIFY UPDATE
|
||||
(rcode) NOERROR FORMERR SERVFAIL NXDOMAIN NOTIMPL YXDOMAIN
|
||||
YXRRSET NXRRSET NOTAUTH NOTZONE
|
||||
(flags) QR AA TC RD CD RA AD
|
||||
(flags) QR AA TC RD CD RA AD DO
|
||||
REPLY ...
|
||||
; any additional actions to do.
|
||||
; 'copy_id' copies the ID from the query to the answer.
|
||||
ADJUST copy_id
|
||||
; 'copy_query' copies the query name, type and class to the answer.
|
||||
ADJUST copy_query
|
||||
; 'sleep=10' sleeps for 10 seconds before giving the answer (TCP is open)
|
||||
ADJUST [sleep=<num>] ; sleep before giving any reply
|
||||
ADJUST [packet_sleep=<num>] ; sleep before this packet in sequence
|
||||
@ -174,6 +176,8 @@ struct entry {
|
||||
/** how to adjust the reply packet */
|
||||
/** copy over the ID from the query into the answer */
|
||||
bool copy_id;
|
||||
/** copy the query nametypeclass from query into the answer */
|
||||
bool copy_query;
|
||||
/** in seconds */
|
||||
unsigned int sleeptime;
|
||||
|
||||
|
||||
@ -111,8 +111,13 @@ void analyze_rdata(ldns_buffer*pkt, const ldns_rr_descriptor* desc,
|
||||
}
|
||||
rdf++;
|
||||
}
|
||||
if(rdlen)
|
||||
if(rdlen) {
|
||||
size_t i;
|
||||
printf(" remain[%d]\n", (int)rdlen);
|
||||
for(i=0; i<rdlen; i++)
|
||||
printf(" %2.2X", (unsigned)ldns_buffer_current(pkt)[i]);
|
||||
printf("\n");
|
||||
}
|
||||
else printf("\n");
|
||||
ldns_buffer_skip(pkt, (ssize_t)rdlen);
|
||||
}
|
||||
|
||||
115
testdata/val_nsec3_b1_nameerror.rpl
vendored
Normal file
115
testdata/val_nsec3_b1_nameerror.rpl
vendored
Normal file
@ -0,0 +1,115 @@
|
||||
; config options
|
||||
server:
|
||||
trust-anchor: "example. DNSKEY 257 3 133 (AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX )"
|
||||
val-override-date: "20120420235959"
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test validator NSEC3 B.1 name error.
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN A
|
||||
SECTION AUTHORITY
|
||||
example. IN NS ns1.example.
|
||||
; leave out to make unbound take ns1
|
||||
;example. IN NS ns2.example.
|
||||
SECTION ADDITIONAL
|
||||
ns1.example. IN A 192.0.2.1
|
||||
; leave out to make unbound take ns1
|
||||
;ns2.example. IN A 192.0.2.2
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns1.example.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 192.0.2.1
|
||||
|
||||
; response to DNSKEY priming query
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example. IN DNSKEY
|
||||
SECTION ANSWER
|
||||
example. DNSKEY 256 3 133 ( AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU 5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL ExXT48OGGdbfIme5 )
|
||||
example. DNSKEY 257 3 133 ( AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1 zsYKWJ7BvR2894hX )
|
||||
example. RRSIG DNSKEY 133 1 3600 20150420235959 ( 20051021000000 22088 example. Xpo9ptByXb8M1JR1i0KuRmKGc/YeOLcc6Ptn RJOx6ADLSL2mU6AYX5tAJRMTKTXk6waLIaxu liqUBOkCjLUZMw== )
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA DO NXDOMAIN
|
||||
SECTION QUESTION
|
||||
a.c.x.w.example. IN A
|
||||
SECTION AUTHORITY
|
||||
example. SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 )
|
||||
example. RRSIG SOA 133 1 3600 20150420235959 20051021000000 ( 62827 example. hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+ rynLZNqsbLm40Q== )
|
||||
|
||||
;; NSEC3 RR that covers the "next closer" name (c.x.w.example)
|
||||
;; H(c.x.w.example) = 0va5bpr2ou0vk0lbqeeljri88laipsfh
|
||||
|
||||
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG )
|
||||
0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. rn2tv99+9StXbc7JaEnjT1+8I8f2vVOMOIbF xzlrn94lQLxEOYxQR4SrxDRP4/fC54Jui0Ix 4eI9tMfaTVgehQ== )
|
||||
|
||||
;; NSEC3 RR that matches the closest encloser (x.w.example)
|
||||
;; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995
|
||||
|
||||
b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
|
||||
b4um86eghhds6nea196smvmlo4ors995.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. GWDmUk8Sv0dxy/UZFol4Ss7Wz3wBiongcnVy strNODWwdnoO9z6pDh8JLk58ExfEgXm79i4b Ma6C/s/bkk1LvA== )
|
||||
|
||||
;; NSEC3 RR that covers wildcard at the closest encloser (*.x.w.example)
|
||||
;; H(*.x.w.example) = 92pqneegtaue7pjatc3l3qnk738c6v5m
|
||||
|
||||
35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
|
||||
35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 133 2 3600 ( 20150420235959 20051021000000 62827 example. QrjOpXVIvodCw0O8uPMNA+yEeS/o3KKkEIPX r5DoEShq2hymAsRTc/t9BvRKpcSTExyc5m3T vYN3GgN0W/0WHQ== )
|
||||
SECTION ADDITIONAL
|
||||
ENTRY_END
|
||||
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
a.c.x.w.example. IN A
|
||||
ENTRY_END
|
||||
|
||||
; recursion happens here.
|
||||
STEP 10 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AD NXDOMAIN
|
||||
SECTION QUESTION
|
||||
a.c.x.w.example. IN A
|
||||
SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 )
|
||||
SECTION ADDITIONAL
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
||||
@ -47,6 +47,7 @@
|
||||
#include "util/region-allocator.h"
|
||||
#include "util/rbtree.h"
|
||||
#include "util/module.h"
|
||||
#include "util/net_help.h"
|
||||
#include "util/data/packed_rrset.h"
|
||||
#include "util/data/dname.h"
|
||||
#include "util/data/msgreply.h"
|
||||
@ -955,6 +956,7 @@ nsec3_do_prove_nameerror(struct module_env* env, struct nsec3_filter* flt,
|
||||
"a closest encloser");
|
||||
return sec_status_bogus;
|
||||
}
|
||||
log_nametypeclass(VERB_ALGO, "nsec3 namerror: proven ce=", ce.ce,0,0);
|
||||
|
||||
/* At this point, we know that qname does not exist. Now we need
|
||||
* to prove that the wildcard does not exist. */
|
||||
@ -985,6 +987,8 @@ nsec3_prove_nameerror(struct module_env* env, struct val_env* ve,
|
||||
return sec_status_bogus; /* no RRs */
|
||||
if(nsec3_iteration_count_high(ve, &flt, kkey))
|
||||
return sec_status_insecure; /* iteration count too high */
|
||||
log_nametypeclass(VERB_ALGO, "start nsec3 nameerror proof, zone",
|
||||
flt.zone, 0, 0);
|
||||
return nsec3_do_prove_nameerror(env, &flt, &ct, qinfo);
|
||||
}
|
||||
|
||||
|
||||
@ -679,6 +679,8 @@ validate_nameerror_response(struct module_env* env, struct val_env* ve,
|
||||
chase_reply->security));
|
||||
return;
|
||||
}
|
||||
has_valid_nsec = 1;
|
||||
has_valid_wnsec = 1;
|
||||
}
|
||||
|
||||
/* If the message fails to prove either condition, it is bogus. */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user