mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 14:47:09 +00:00
177 lines
3.6 KiB
Plaintext
177 lines
3.6 KiB
Plaintext
; Test DNS Error Reporting.
|
|
|
|
server:
|
|
module-config: "validator iterator"
|
|
trust-anchor-signaling: no
|
|
target-fetch-policy: "0 0 0 0 0"
|
|
verbosity: 4
|
|
qname-minimisation: no
|
|
minimal-responses: no
|
|
rrset-roundrobin: no
|
|
trust-anchor: "a.domain DS 50602 8 2 FA8EE175C47325F4BD46D8A4083C3EBEB11C977D689069F2B41F1A29B22446B1"
|
|
ede: no # It is not needed for dns-error-reporting; only for clients to receive EDEs
|
|
dns-error-reporting: yes
|
|
|
|
stub-zone:
|
|
name: a.domain
|
|
stub-addr: 0.0.0.1
|
|
stub-zone:
|
|
name: an.agent
|
|
stub-addr: 0.0.0.2
|
|
CONFIG_END
|
|
|
|
SCENARIO_BEGIN Test DNS Error Reporting
|
|
|
|
; a.domain
|
|
RANGE_BEGIN 0 9
|
|
ADDRESS 0.0.0.1
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
a.domain. IN DNSKEY
|
|
ENTRY_END
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
SECTION ANSWER
|
|
a.domain. 5 IN A 0.0.0.0
|
|
; No RRSIG to trigger validation error (and EDE)
|
|
SECTION ADDITIONAL
|
|
; No Report-Channel here
|
|
ENTRY_END
|
|
RANGE_END
|
|
|
|
; a.domain
|
|
RANGE_BEGIN 10 100
|
|
ADDRESS 0.0.0.1
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
a.domain. IN DNSKEY
|
|
ENTRY_END
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
SECTION ANSWER
|
|
a.domain. 5 IN A 0.0.0.0
|
|
; No RRSIG to trigger validator error and EDE
|
|
SECTION ADDITIONAL
|
|
HEX_EDNSDATA_BEGIN
|
|
00 12 ; opt-code (Report-Channel)
|
|
00 0A ; opt-len
|
|
02 61 6E 05 61 67 65 6E 74 00 ; an.agent.
|
|
HEX_EDNSDATA_END
|
|
ENTRY_END
|
|
RANGE_END
|
|
|
|
; an.agent
|
|
RANGE_BEGIN 10 20
|
|
ADDRESS 0.0.0.2
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
_er.1.a.domain.9._er.an.agent. IN TXT
|
|
SECTION ANSWER
|
|
_er.1.a.domain.9._er.an.agent. IN TXT "OK"
|
|
ENTRY_END
|
|
RANGE_END
|
|
|
|
; Query
|
|
STEP 0 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
ENTRY_END
|
|
|
|
; Check that validation failed (no DNS error reporting at this state)
|
|
STEP 1 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all
|
|
REPLY QR RD RA SERVFAIL
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
ENTRY_END
|
|
|
|
; Wait for the a.domain query to expire (TTL 5)
|
|
STEP 3 TIME_PASSES ELAPSE 6
|
|
|
|
; Query again
|
|
STEP 10 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
ENTRY_END
|
|
|
|
; Check that validation failed
|
|
; (a DNS Error Report query should have been generated)
|
|
STEP 11 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all
|
|
REPLY QR RD RA SERVFAIL
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
ENTRY_END
|
|
|
|
; Check explicitly that the DNS Error Report query is cached.
|
|
STEP 20 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
_er.1.a.domain.9._er.an.agent. IN TXT
|
|
ENTRY_END
|
|
|
|
; At this range there are no configured agents to answer this.
|
|
; If the DNS Error Report query is not answered from the cache the test will
|
|
; fail with pending messages.
|
|
STEP 21 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all
|
|
REPLY RD QR RA NOERROR
|
|
SECTION QUESTION
|
|
_er.1.a.domain.9._er.an.agent. IN TXT
|
|
SECTION ANSWER
|
|
_er.1.a.domain.9._er.an.agent. IN TXT "OK"
|
|
ENTRY_END
|
|
|
|
; Wait for the a.domain query to expire (5 TTL).
|
|
; The DNS Error Report query should still be cached (SOA negative).
|
|
STEP 30 TIME_PASSES ELAPSE 6
|
|
|
|
; Force a DNS Error Report query generation again.
|
|
STEP 31 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
ENTRY_END
|
|
|
|
; Check that validation failed
|
|
STEP 32 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all
|
|
REPLY QR RD RA SERVFAIL
|
|
SECTION QUESTION
|
|
a.domain. IN A
|
|
ENTRY_END
|
|
|
|
; The same DNS Error Report query will be generated as above.
|
|
; No agent is configured at this range to answer the DNS Error Report query.
|
|
; If the DNS Error Report query is not used from the cache the test will fail
|
|
; with pending messages.
|
|
|
|
SCENARIO_END
|